Jenkins Security Advisory Warns of Four Medium-Severity Plugin Vulnerabilities
Jenkins released a security advisory on September 3, 2025, disclosing four vulnerabilities in the Git client, global-build-stats, Jakarta Mail API, and OpenTelemetry plugins, urging administrators to update immediately.
Jenkins released a security advisory on September 3, 2025, disclosing four medium-severity vulnerabilities affecting the Git client, global-build-stats, Jakarta Mail API, and OpenTelemetry plugins. The flaws range from information disclosure and missing permission checks to SMTP command injection and credential capture. Administrators are urged to update the affected plugins to the latest versions to mitigate potential exploitation.
The most notable vulnerability, tracked as CVE-2025-58458, resides in the Git client Plugin (versions 6.3.2 and earlier, except 6.1.4 and 6.2.1). The plugin allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library. This protocol authenticates against Amazon S3 based on the contents of a file whose path is provided as the authority part of the URL (amazon-s3://path-to-file@bucketname/folder). Although a bug prevents the protocol from performing any actions, error messages can reveal whether a specified file path exists on the Jenkins controller. Attackers with appropriate permissions—such as Credentials/Use Item (implied by Item/Configure)—can exploit this to check for the existence of arbitrary files. Jenkins instances using command line Git exclusively (the default) are unaffected. The fix in Git client Plugin 6.3.3 prohibits use of the amazon-s3 protocol with JGit.
The Jakarta Mail API Plugin (versions 2.1.3-2 and earlier) bundles versions of Angus Mail vulnerable to CVE-2025-7962, an SMTP command injection flaw. Attackers who can control recipient email addresses of emails sent by Jenkins can use this vulnerability to send emails with arbitrary contents to arbitrary recipients. Jakarta Mail API Plugin 2.1.3-3 updates Angus Mail to version 2.0.4, which is unaffected.
The global-build-stats Plugin (versions 322.v22f4db_18e2dd and earlier) lacks permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. These IDs can then be used to access those graphs. The fix in version 347.v32a_eb_0493c4f requires Overall/Administer permission to access the REST API endpoints.
The OpenTelemetry Plugin (versions 3.1543.v8446b_92b_cd64 and earlier) fails to perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, effectively capturing credentials stored in Jenkins. The fix in version 3.1543.1545.vf5a_4ec123769 requires Overall/Administer permission for the affected form validation method.
All four vulnerabilities were reported by researchers at CloudBees, Inc., including Daniel Beck (SECURITY-3535 and SECURITY-3590) and Kevin Guerroudj (SECURITY-3602). The Jenkins project has released updated plugin versions that include fixes for all vulnerabilities. Administrators should update the affected plugins immediately to reduce the risk of exploitation. This advisory underscores the importance of keeping CI/CD infrastructure components patched, as even medium-severity flaws can be chained or leveraged in broader attacks.