CVE-2025-13472 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Perforce BlazeMeter Jenkins Plugin prior to version 4.27. The flaw allowed any Jenkins user, regardless of their permission level, to view lists of sensitive resources including credential IDs, BlazeMeter workspaces, and project IDs through dropdown menus in the Jenkins user interface. This unauthorized information disclosure arises because the plugin did not enforce proper authorization checks before displaying these resources. The vulnerability impacts confidentiality by exposing potentially sensitive identifiers that could be leveraged for further attacks such as credential theft or unauthorized access to BlazeMeter projects. The vulnerability does not require user interaction and can be exploited remotely by any user with access to the Jenkins UI, even with low privileges. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. The issue was addressed in BlazeMeter Jenkins Plugin version 4.27 by restricting visibility of these resources to users with appropriate permissions. No public exploits or active exploitation have been reported to date. This vulnerability is particularly relevant for organizations using Jenkins for continuous integration and BlazeMeter for performance testing, as it could facilitate reconnaissance and lateral movement within development environments.

For European organizations, the primary impact of CVE-2025-13472 is unauthorized disclosure of sensitive resource identifiers within Jenkins environments integrated with BlazeMeter. This information leakage could enable attackers or malicious insiders to map out credential IDs and project structures, potentially aiding in subsequent targeted attacks such as credential compromise or unauthorized project access. While the vulnerability does not directly allow code execution or system takeover, the exposure of credential IDs and workspace information undermines the confidentiality of the CI/CD pipeline and associated testing infrastructure. Organizations in sectors with high reliance on software development and automated testing, such as finance, telecommunications, and manufacturing, could face increased risk if attackers leverage this information for lateral movement or supply chain attacks. The medium severity rating reflects the limited scope of impact but acknowledges the potential for escalation if combined with other vulnerabilities or insider threats. Additionally, regulatory requirements under GDPR emphasize protecting sensitive data, and unauthorized exposure of credentials or project information could lead to compliance issues or reputational damage.

To mitigate CVE-2025-13472, organizations should immediately upgrade the BlazeMeter Jenkins Plugin to version 4.27 or later, where proper authorization checks have been implemented. Beyond patching, administrators should audit Jenkins user permissions to ensure that only trusted users have access to sensitive plugins and resources. Implement role-based access control (RBAC) within Jenkins to restrict visibility and modification rights to credential IDs and project configurations. Regularly review Jenkins audit logs for unusual access patterns or attempts to enumerate resources. Network segmentation can limit access to Jenkins servers to authorized personnel only, reducing exposure to unauthorized users. Additionally, consider integrating Jenkins with centralized identity and access management (IAM) solutions to enforce consistent authentication and authorization policies. Conduct security awareness training for developers and DevOps teams to recognize the importance of least privilege principles in CI/CD environments. Finally, monitor vendor advisories for any updates or related vulnerabilities in BlazeMeter or Jenkins plugins.