{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67639", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2025-12-09T17:33:01.215Z", "datePublished": "2025-12-10T16:50:38.218Z", "dateUpdated": "2025-12-10T17:27:25.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-12-10T16:50:38.218Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "2.541", "versionType": "maven", "lessThan": "*", "status": "unaffected"}, {"version": "2.528.3", "versionType": "maven", "lessThan": "2.528.*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account."}], "references": [{"name": "Jenkins Security Advisory 2025-12-10", "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-10T17:27:23.050997Z", "id": "CVE-2025-67639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T17:27:25.419Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-10T17:27:23.050997Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-10T17:27:19.424Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "2.541", "lessThan": "*", "versionType": "maven"}, {"status": "unaffected", "version": "2.528.3", "lessThan": "2.528.*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166", "name": "Jenkins Security Advisory 2025-12-10", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2025-12-10T16:50:38.218Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67639", "state": "PUBLISHED", "dateUpdated": "2025-12-10T17:27:25.419Z", "dateReserved": "2025-12-09T17:33:01.215Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2025-12-10T16:50:38.218Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account."}], "id": "CVE-2025-67639", "lastModified": "2025-12-12T15:18:42.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-10T17:15:56.400", "references": [{"source": "jenkinsci-cert@googlegroups.com", "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.jenkins-ci.main/jenkins-core: Jenkins cross-site request forgery", "id": "2420999", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420999"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-613", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-67639", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2025-12-10T16:50:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-67639\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67639\nhttps://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1166"], "threat_severity": "Low"}

{"created": "2025-12-10T21:33:14.464049+00:00", "updated": "2025-12-10T21:33:14.464074+00:00", "vendors": ["jenkins", "jenkins$PRODUCT$jenkins"]}