URGENT: CodeShip EOL Jan 31, 2026! Transition to CloudBees Unify at current pricing. →

CloudBees Security Advisory 2025-09-17

This advisory announces vulnerabilities in CloudBees CI and Jenkins

HTTP/2 denial of service vulnerability in bundled Jetty

SECURITY-3618 / CVE-2025-5115
Severity (CVSS): High
Description:

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.

Jenkins 2.523 and earlier, LTS 2.516.2 and earlier, CloudBees CI 2.516.2.29000 and earlier bundles versions of Jetty affected by the security vulnerability CVE-2025-5115 ("MadeYouReset"). This vulnerability allows unauthenticated attackers to cause a denial of service.

This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.

Jenkins 2.524, LTS 2.516.3, CloudBees CI 2.516.3.29358 updates the bundled Jetty to version 12.0.25, which is unaffected by these issues.

Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.

Missing permission check allows obtaining agent names

SECURITY-3594 / CVE-2025-59474
Severity (CVSS): Medium
Description:

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, CloudBees CI 2.516.2.29000 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission.

This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget.

Jenkins 2.528, LTS 2.516.3, CloudBees CI 2.516.3.29358 removes the sidepanel from the affected view.

Missing permission check in authenticated users' profile menu

SECURITY-3625 / CVE-2025-59475
Severity (CVSS): Medium
Description:

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, CloudBees CI 2.516.2.29000 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed).

Jenkins 2.528, LTS 2.516.3, CloudBees CI 2.516.3.29358 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.

Log message injection vulnerability

SECURITY-3424 / CVE-2025-59476
Severity (CVSS): Medium
Description:

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, CloudBees CI 2.516.2.29000 and earlier, the log formatter that prepares log messages for console output (including jenkins.log and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages.

This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output.

Jenkins 2.528, LTS 2.516.3, CloudBees CI 2.516.3.29358 adds an indicator at the beginning of a line that was inserted as part of log message content: [CR], [LF], or [CRLF] (representing the kind of line break), followed by > .

It is still possible to inject a number of characters into log output that can mislead viewers. Characters like ASCII BS (backspace) may result in log viewers hiding content, while Unicode-enabled log viewers may be misled by "Trojan Source" characters. It is recommended to use a log/text viewer that highlights unusual characters like those in its output.

M2M authentication lack of audience

BEE-59513
Severity (CVSS): High
Description:

Machine-to-machine (M2M) authentication is used within the CloudBees CI cluster to enable communication between Controllers or the Operations Center with standalone micro services (and services to Controllers). Previously, token audience was not being used, which could have allowed a rogue service (or Controller) to impersonate other services in the cluster. Now, an audience check to the authentication process has been added. In Kubernetes, tokens can be generated for a specific audience, so when a component receives a token it can check with the Kubernetes API if the token is valid and if it’s intended to be used to access a specific service (audience).

At the publication of this advisory, only 2 services and 1 plugin are using M2M authentication:

  • CasC Bundle Service (fixed version 735.d91c7b010225)

  • Pluggable Storage Service (fixed version 102.38fe2d9edb3d)

  • CloudBees CasC (fixed version 2.5335)

Everything else in the CloudBees CI cluster is unaffected by this.

This fix requires a Controller re-provisioning to ensure all Kubernetes resources are properly generated.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.516.3.29358

  • CloudBees Cloud Platforms should be upgraded to 2.516.3.29358

Credit

  • Daniel Beck, CloudBees, Inc. for SECURITY-3625

  • Manuel Fernandez (Stackhopper Security) for SECURITY-3424

  • Robert Houtenbrink, Faris Mohammed, and Harsh Yadav from the IBM Cloud Red Team for SECURITY-3594

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Terms of Service