CVE-2025-58459
Description
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier lacks permission checks in REST API endpoints, allowing attackers with Overall/Read to enumerate graph IDs.
Vulnerability
Overview
The Jenkins global-build-stats Plugin, versions 322.v22f4db_18e2dd and earlier, fails to perform permission checks in its REST API endpoints. This missing authorization allows any attacker who has the Overall/Read permission to enumerate graph IDs from the plugin's data. The plugin is designed to gather and display global build result statistics, and its REST API is used for operations such as creating, updating, and deleting charts [1][2].
Exploitation
An attacker with only the Overall/Read permission, which is a relatively low-privilege permission in Jenkins, can exploit this vulnerability by sending requests to the plugin's REST API endpoints. No additional authentication or privileges are required beyond that basic permission. The attack does not require any special network position or user interaction [2][3].
Impact
By enumerating graph IDs, an attacker can learn about the existence and identifiers of charts configured in the global-build-stats plugin. While this information alone may not directly lead to data modification or code execution, it can serve as reconnaissance for further attacks, such as targeting specific charts for manipulation or information disclosure [2][3].
Mitigation
The vulnerability has been fixed in global-build-stats Plugin version 347.v32a_eb_0493c4f and later. Users are strongly advised to update to this version or newer. The Jenkins security advisory for September 3, 2025, includes this fix along with other plugin security updates [3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:global-build-statsMaven | < 347.v32a | 347.v32a |
Affected products
2- Range: <=322.v22f4db_18e2dd
- Jenkins Project/Jenkins global-build-stats Pluginv5Range: 0
Patches
132aeb0493c4f[SECURITY-3535]
1 file changed · +18 −1
src/main/java/hudson/plugins/global_build_stats/GlobalBuildStatsPlugin.java+18 −1 modified@@ -26,6 +26,7 @@ import jakarta.servlet.ServletException; +import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.jfree.chart.JFreeChart; @@ -123,16 +124,32 @@ public GlobalBuildStatsApi(Object bean) { public void doJson(StaplerRequest2 req, StaplerResponse2 rsp) throws IOException, ServletException { if(!exposeChartData(req, rsp, Flavor.JSON)){ + Jenkins.get().checkPermission(getRequiredPermission()); super.doJson(req, rsp); } } @Override public void doPython(StaplerRequest2 req, StaplerResponse2 rsp) throws IOException, ServletException { if(!exposeChartData(req, rsp, Flavor.PYTHON)){ + Jenkins.get().checkPermission(getRequiredPermission()); super.doPython(req, rsp); } } + @Override + public void doXml( + StaplerRequest2 req, + StaplerResponse2 rsp, + @QueryParameter String xpath, + @QueryParameter String wrapper, + @QueryParameter String tree, + @QueryParameter int depth + ) throws IOException, ServletException { + if (!exposeChartData(req, rsp, Flavor.XML)) { + Jenkins.get().checkPermission(getRequiredPermission()); + super.doXml(req, rsp, xpath, wrapper, tree, depth); + } + } private static boolean exposeChartData(StaplerRequest2 req, StaplerResponse2 rsp, Flavor flavor) throws ServletException, IOException{ boolean chartDataHasBeenExposed = false; @@ -456,7 +473,7 @@ public List<BuildStatConfiguration> getBuildStatConfigs() { return buildStatConfigs; } - public Permission getRequiredPermission(){ + public static Permission getRequiredPermission(){ return Hudson.ADMINISTER; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-gm8g-fh49-qq6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58459ghsaADVISORY
- www.jenkins.io/security/advisory/2025-09-03/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/09/03/4ghsaWEB
- github.com/jenkinsci/global-build-stats-plugin/commit/32aeb0493c4ff5423448576f477ac612f7a25138ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-09-03Jenkins Security Advisories · Sep 3, 2025