CVE-2025-47889 – org.jenkins-ci.plugins:wso2id-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:wso2id-oauth
Vulnerable Version: >=0 <=1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00122 pctl0.32028

Details

Jenkins WSO2 Oauth Plugin Fails to Properly Authenticate User Credentials In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Metadata

Created: 2025-05-14T21:31:20Z
Modified: 2025-05-16T14:49:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-p89h-p4ph-4vj6/GHSA-p89h-p4ph-4vj6.json
CWE IDs: ["CWE-1390", "CWE-287"]
Alternative ID: GHSA-p89h-p4ph-4vj6
Finding: F006
Auto approve: 1