Jenkins Critical Vulnerability - 20250519001¶
Overview¶
The WA SOC has been made aware of an authentication bypass vulnerability affecting the Jenkins WSO2 Oauth Plugin. Successful exploitation allows unauthenticated attackers to log in to controllers using this security realm with any username and any password, including usernames that do not exist.
What is vulnerable?¶
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
|---|---|---|---|---|
| Jenkins WSO2 Oauth Plugin | \<= 1.0 | CVE-2025-47889 | 9.8 | Critical |
What has been observed?¶
Jenkins have noted there is currently no published fix for this vulnerability. The WA SOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.
Recommendation¶
The WA SOC recommends administrators monitor for, and apply any newly published solutions as per vendor instructions to all affected devices within expected timeframes when available (refer Patch Management):