This advisory announces vulnerabilities in the following Jenkins deliverables:
git-client
Git client Plugin 6.3.2 and earlier, except 6.1.4 and 6.2.1, allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library.
This protocol authenticates against Amazon S3 based on contents of the file whose path is provided as the authority part of the URL (amazon-s3://path-to-file@bucketname/folder).
While use of this protocol in Git client Plugin to perform any actions always fails due to a bug in the plugin, error messages can be used to determine whether the specified file path exists on the controller.
This allows attackers to check for the existence of an attacker-specified file path on the Jenkins controller file system. Whether an attacker has the permissions to exploit this vulnerability depends on the installed plugins that expose Git client Plugin functionality to users. For example, attackers with Credentials/Use Item permission (implied by Item/Configure) can use form field validation responses of URL fields in Git Plugin.
| Jenkins instances using command line Git exclusively (the default) are unaffected by this vulnerability. |
Git client Plugin 6.3.3 prohibits use of the amazon-s3 protocol for use with JGit.
jakarta-mail-api
Jakarta Mail API Plugin 2.1.3-2 and earlier bundles versions of Angus Mail vulnerable to CVE-2025-7962.
This allows attackers able to control recipient email addresses of emails sent by Jenkins to send emails with arbitrary contents to arbitrary recipients.
Jakarta Mail API Plugin 2.1.3-3 updates Angus Mail to version 2.0.4, which is unaffected by this issue.
global-build-stats
global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints.
This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs.
global-build-stats Plugin 347.v32a_eb_0493c4f requires Overall/Administer permission to access its REST API endpoints.
opentelemetry
OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
OpenTelemetry Plugin 3.1543.1545.vf5a_4ec123769 requires Overall/Administer permission for the affected form validation method.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: