{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59474", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2025-09-16T16:16:05.525Z", "datePublished": "2025-09-17T13:17:47.174Z", "dateUpdated": "2025-11-04T21:13:51.125Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-09-17T13:17:47.174Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "0", "versionType": "maven", "lessThan": "2.387", "status": "unaffected"}, {"version": "2.516.3", "versionType": "maven", "lessThan": "2.516.*", "status": "unaffected"}, {"version": "2.528", "versionType": "maven", "lessThan": "*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget."}], "references": [{"name": "Jenkins Security Advisory 2025-09-17", "url": "https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3594", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-25T18:41:24.213055Z", "id": "CVE-2025-59474", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T18:41:28.195Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:13:51.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T21:13:51.125Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-59474", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-25T18:41:24.213055Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T18:41:11.598Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "0", "lessThan": "2.387", "versionType": "maven"}, {"status": "unaffected", "version": "2.516.3", "lessThan": "2.516.*", "versionType": "maven"}, {"status": "unaffected", "version": "2.528", "lessThan": "*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3594", "name": "Jenkins Security Advisory 2025-09-17", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-09-17T13:17:47.174Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59474", "state": "PUBLISHED", "dateUpdated": "2025-11-04T21:13:51.125Z", "dateReserved": "2025-09-16T16:16:05.525Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2025-09-17T13:17:47.174Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "AD4E6E0A-5B01-4B41-ACAB-EEF706AE974C", "versionEndExcluding": "2.516.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "C85AC4DD-437B-4143-8E3D-5E42B9EA8160", "versionEndExcluding": "2.528", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget."}], "id": "CVE-2025-59474", "lastModified": "2025-11-04T22:16:35.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-17T14:15:41.067", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3594"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "jenkins: Missing permission check allows obtaining agent names", "id": "2396094", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396094"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-862", "details": ["A flaw was found in Jenkins. A missing permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission allows attackers without Overall/Read permission to list agent names via its sidepanel executors widget."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-59474", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2025-09-17T13:17:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59474\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59474\nhttps://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-3594"], "threat_severity": "Moderate"}

{"created": "2025-09-18T12:41:30.410228+00:00", "updated": "2025-09-18T12:41:30.410305+00:00", "vendors": ["jenkins", "jenkins$PRODUCT$jenkins"]}