CVE-2025-59474 Scanner
CVE-2025-59474 Scanner - Information Disclosure vulnerability in Jenkins
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
12 days 21 hours
Scan only one
URL
Toolbox
-
Jenkins is a well-known open-source automation server. It is widely used for automating tasks related to building, testing, and deploying software. Jenkins is an essential tool in software development, particularly for continuous integration and continuous delivery processes. It is utilized by software teams across the globe, providing flexibility and extensibility through numerous plugins. Its web-based interface allows easy management of build and deployment pipelines. Jenkins supports distributed builds, which helps to scale out build operations and handle larger projects.
The information disclosure vulnerability in Jenkins involves the exposure of potentially sensitive infrastructure details. The vulnerability stems from Jenkins not performing adequate permission checks in certain scenarios. An attacker without the anticipated Overall/Read permission can access agent names via the sidepanel executors widget. This unauthorized access violates typical security protocols, allowing exposure to information that should remain protected. It can provide attackers with insider knowledge of the infrastructure, increasing the risk of targeted attacks.
This vulnerability specifically occurs due to a lack of permissions checks on sidepanel executors in Jenkins. The sidepanel executors widget on the Jenkins interface is accessible without Overall/Read permission checks. Attackers can trigger this exposure by visiting specific URLs aimed at pages where this permission oversight exists. Using this method, attackers can retrieve a list of agent names without appropriate authorization. The regular checks that should secure this data are bypassed, creating an information disclosure vulnerability.
Exploiting this vulnerability, attackers can gain unauthorized access to agent names within Jenkins, which may include sensitive details about the infrastructure. This can lead to increased risk of targeted attacks as attackers can use the disclosed information to understand the network structure and configuration better. Potentially sensitive operational details exposed could aid in crafting more effective attacks against other components of the infrastructure. Strengthening the permission checks will mitigate the likelihood of such unauthorized access.
REFERENCES
