Skip to content

Jenkins Critical Vulnerability - 20250519001

Overview

The WA SOC has been made aware of an authentication bypass vulnerability affecting the Jenkins WSO2 Oauth Plugin. Successful exploitation allows unauthenticated attackers to log in to controllers using this security realm with any username and any password, including usernames that do not exist.

What is vulnerable?

Product(s) Affected Version(s) CVE CVSS Severity
Jenkins WSO2 Oauth Plugin \<= 1.0 CVE-2025-47889 9.8 Critical

What has been observed?

Jenkins have noted there is currently no published fix for this vulnerability. The WA SOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.

Recommendation

The WA SOC recommends administrators monitor for, and apply any newly published solutions as per vendor instructions to all affected devices within expected timeframes when available (refer Patch Management):

Additional References