CloudBees Security Advisory 2025-09-03

This advisory announces vulnerabilities in CloudBees CI and Jenkins

File system information disclosure vulnerability in Git client Plugin

SECURITY-3590 / CVE-2025-58458
Severity (CVSS): Medium
Affected plugin: git-client
Description:

Git client Plugin 6.3.2 and earlier allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library. This protocol authenticates against Amazon S3 based on contents of the file whose path is provided as the authority part of the URL (amazon-s3://path-to-file@bucketname/folder).

While use of this protocol in Git client Plugin to perform any actions always fails due to a bug in the plugin, error messages can be used to determine whether the specified file path exists on the controller.

This allows attackers to check for the existence of an attacker-specified file path on the Jenkins controller file system. Whether an attacker has the permissions to exploit this vulnerability depends on the installed plugins that expose Git client Plugin functionality to users. For example, attackers with Credentials/Use Item permission (implied by Item/Configure) can use form field validation responses of URL fields in Git Plugin.

Jenkins instances using command line Git exclusively (the default) are unaffected by this vulnerability.

Git client Plugin 6.3.3 prohibits use of the amazon-s3 protocol for use with JGit.

SMTP command injection vulnerability in Jakarta Mail API Plugin

SECURITY-3617 / CVE-2025-7962
Severity (CVSS): Medium
Affected plugin: jakarta-mail-api
Description:

Jakarta Mail API Plugin 2.1.3-2 and earlier bundles versions of Angus Mail vulnerable to CVE-2025-7962.

This allows attackers able to control recipient email addresses of emails sent by Jenkins to send emails with arbitrary contents to arbitrary recipients.

Jakarta Mail API Plugin 2.1.3-3 updates Angus Mail to version 2.0.4, which is unaffected by this issue.

Missing permission checks in global-build-stats Plugin allow enumerating graph IDs

SECURITY-3535 / CVE-2025-58459
Severity (CVSS): Medium
Affected plugin: global-build-stats
Description:

global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints.

This allows attackers with Overall/Read permission to enumerate graph IDs. These IDs can be used to access those graphs.

global-build-stats Plugin 347.v32a_eb_0493c4f requires Overall/Administer permission to access its REST API endpoints.

Missing permission check in OpenTelemetry Plugin allows capturing credentials

SECURITY-3602 / CVE-2025-58460
Severity (CVSS): Medium
Affected plugin: opentelemetry
Description:

OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OpenTelemetry Plugin 3.1543.1545.vf5a_4ec123769 requires Overall/Administer permission for the affected form validation method.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.516.2.28997

  • CloudBees Cloud Platforms should be upgraded to 2.516.2.28997

Credit

  • Daniel Beck, CloudBees, Inc. for SECURITY-3535, SECURITY-3590

  • Kevin Guerroudj, CloudBees, Inc. for SECURITY-3602