logo

Database

Improper authorization control for web services In org.jenkins-ci.main:jenkins-core

Description

Jenkins has a missing permission check, allowing users to obtain agent names Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.

This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-594742. NVD-2025-594743. OSV-2025-594744. GCVE-2025-59474

References

1. https://www.jenkins.io/security/advisory/2025-09-17/#SECURITY-35942. http://www.openwall.com/lists/oss-security/2025/09/17/13. https://vulncheck.com/cve/CVE-2025-594744. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-59474.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.