Vulnerability in Jenkins Openid_connect_provider
CVE-2025-47884
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to conf…
EPSS: 0.006 (44.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L.
Affected products
Weakness classification (CWE)
Public proof-of-concept exploits
References
- jenkinsci-cert@googlegroups.com (vendor-advisory, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-47884?
- CVE-2025-47884 is a critical-severity vulnerability in Jenkins Openid_connect_provider, classified under Improper Access Control. CVSS score: 9.1/10. Published 2025-05-14.
- How severe is CVE-2025-47884?
- Critical severity. CVSS v3 base score is 9.1 out of 10.
- Is CVE-2025-47884 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.