CVE-2025-47884 — CRITICAL (9.1)

Q: How severe is CVE-2025-47884?

CVE-2025-47884 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-47884?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Openid Connect Provider.

Vulnerability Description

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Jenkins	Openid Connect Provider	<= 96.vee8ed882ec4d

Related Weaknesses (CWE)

CWE-284

References

https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3574Vendor Advisory

FAQ

What is CVE-2025-47884?

CVE-2025-47884 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other ...

How severe is CVE-2025-47884?

CVE-2025-47884 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-47884?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Openid Connect Provider.