CVE-2025-64140
Description
Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller, allowing attackers with Item/Configure permission to execute arbitrary shell commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Azure CLI Plugin 0.9 and earlier lacks command restrictions, letting attackers with Item/Configure permission execute arbitrary shell commands on the controller.
Vulnerability
The Jenkins Azure CLI Plugin, versions 0.9 and earlier, does not restrict the commands it executes on the Jenkins controller. The plugin is designed to run Azure CLI commands, but it fails to validate or confine the commands that can be submitted, allowing any shell command to be executed through the plugin's interface [1][3].
Exploitation
An attacker needs only the Item/Configure permission on a job to exploit this vulnerability. By crafting a job configuration that includes a malicious command, the attacker can trigger the plugin to run arbitrary shell commands on the Jenkins controller. No additional authentication or network access is required beyond standard Jenkins job configuration capabilities [1][2].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary shell commands on the Jenkins controller with the privileges of the Jenkins process. This can lead to full compromise of the Jenkins server, including data exfiltration, lateral movement, or disruption of operations [1][3].
Mitigation
As of the advisory publication date (2025-10-29), no fix has been released for this vulnerability. Jenkins has announced the issue as unresolved in the plugin. Administrators should restrict Item/Configure permissions to trusted users only and consider disabling the plugin until a patched version becomes available [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:azure-cliMaven | <= 0.9 | — |
Affected products
2- Range: <=0.9
- Jenkins Project/Jenkins Azure CLI Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rh72-238f-g26qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64140ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025