CVE-2025-47886
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Cadence vManager Plugin allows attackers to make Jenkins connect to an attacker-controlled URL with attacker-supplied credentials.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Cadence vManager Plugin versions 4.0.1-286.v9e25a_740b_a_48 and earlier. The plugin fails to validate the origin of HTTP requests, allowing an attacker to craft a malicious page that, when visited by an authenticated Jenkins user, triggers a request to the plugin's endpoint. This causes Jenkins to connect to an attacker-specified URL using attacker-specified username and password [1][3][4].
Exploitation
Prerequisites
Exploitation requires tricking a Jenkins user with appropriate permissions (e.g., job configuration) into clicking a link or visiting a malicious page. No additional authentication is needed for the attacker, as the plugin does not enforce CSRF tokens or origin checks on the vulnerable endpoint [4].
Impact
An attacker can force Jenkins to connect to any external URL with arbitrary credentials, potentially exfiltrating sensitive data, performing actions on external systems, or leveraging Jenkins as a proxy for further attacks. This could lead to credential theft or unauthorized access to external services [4].
Mitigation
The vulnerability is fixed in Cadence vManager Plugin version 4.0.2 (or later), as addressed in pull request #25 [2]. Users should upgrade immediately. No workaround is available [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:vmanager-pluginMaven | < 4.0.1-288.v8804b_ea_a_cb_7f | 4.0.1-288.v8804b_ea_a_cb_7f |
Affected products
2- Range: <=4.0.1-286.v9e25a_740b_a_48
- Jenkins Project/Jenkins Cadence vManager Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5w52-96jj-fv59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47886ghsaADVISORY
- www.jenkins.io/security/advisory/2025-05-14/ghsavendor-advisoryWEB
- github.com/jenkinsci/vmanager-plugin/pull/25ghsaWEB
- github.com/jenkinsci/vmanager-plugin/releases/tag/4.0.1-288.v8804b_ea_a_cb_7fghsaWEB
News mentions
1- Jenkins Security Advisory 2025-05-14Jenkins Security Advisories · May 14, 2025