CVE-2025-58460: Vulnerability in Jenkins Project Jenkins OpenTelemetry Plugin
A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AI Analysis
Technical Summary
CVE-2025-58460 is a vulnerability identified in the Jenkins OpenTelemetry Plugin versions 3.1543.v8446b_92b_cd64 and earlier. The root cause is a missing permission check that allows users with Overall/Read permission to exploit the plugin's functionality to connect to an attacker-specified URL. The attacker can specify credentials IDs, which they must have obtained through other means, to authenticate these connections. This flaw can lead to the exposure of credentials stored within Jenkins, compromising the confidentiality and integrity of sensitive information. The vulnerability does not affect availability and does not require user interaction, but the attack complexity is high due to the prerequisite of obtaining credentials IDs beforehand. The CVSS v3.1 score is 4.2, indicating medium severity, with the vector highlighting network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and limited impact on confidentiality and integrity. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-862 (Missing Authorization).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of credentials stored in Jenkins environments. Since Jenkins is widely used for continuous integration and deployment pipelines, exposure of credentials could lead to unauthorized access to critical infrastructure, source code repositories, or deployment environments. This could result in intellectual property theft, disruption of software delivery processes, or further lateral movement within networks. The medium severity and high attack complexity somewhat limit immediate widespread exploitation, but organizations with lax access controls or those that allow broad read permissions are at higher risk. The impact is particularly significant for sectors relying heavily on automated DevOps pipelines, including finance, manufacturing, and technology companies prevalent in Europe.
Mitigation Recommendations
1. Immediately restrict Overall/Read permissions in Jenkins to trusted users only, minimizing the attack surface. 2. Monitor and audit the use of credentials IDs within Jenkins to detect any unusual or unauthorized access patterns. 3. Apply security best practices by isolating Jenkins environments and limiting network access to trusted hosts. 4. Once available, promptly apply official patches or updates for the Jenkins OpenTelemetry Plugin to address the missing permission check. 5. Implement multi-factor authentication and credential vaulting solutions to reduce the risk of credential compromise. 6. Conduct regular security reviews of Jenkins plugins and configurations to identify and remediate similar permission issues. 7. Educate DevOps teams about the risks of over-permissioning and the importance of least privilege principles in CI/CD environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden
CVE-2025-58460: Vulnerability in Jenkins Project Jenkins OpenTelemetry Plugin
Description
A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AI-Powered Analysis
Technical Analysis
CVE-2025-58460 is a vulnerability identified in the Jenkins OpenTelemetry Plugin versions 3.1543.v8446b_92b_cd64 and earlier. The root cause is a missing permission check that allows users with Overall/Read permission to exploit the plugin's functionality to connect to an attacker-specified URL. The attacker can specify credentials IDs, which they must have obtained through other means, to authenticate these connections. This flaw can lead to the exposure of credentials stored within Jenkins, compromising the confidentiality and integrity of sensitive information. The vulnerability does not affect availability and does not require user interaction, but the attack complexity is high due to the prerequisite of obtaining credentials IDs beforehand. The CVSS v3.1 score is 4.2, indicating medium severity, with the vector highlighting network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and limited impact on confidentiality and integrity. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The vulnerability is classified under CWE-862 (Missing Authorization).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of credentials stored in Jenkins environments. Since Jenkins is widely used for continuous integration and deployment pipelines, exposure of credentials could lead to unauthorized access to critical infrastructure, source code repositories, or deployment environments. This could result in intellectual property theft, disruption of software delivery processes, or further lateral movement within networks. The medium severity and high attack complexity somewhat limit immediate widespread exploitation, but organizations with lax access controls or those that allow broad read permissions are at higher risk. The impact is particularly significant for sectors relying heavily on automated DevOps pipelines, including finance, manufacturing, and technology companies prevalent in Europe.
Mitigation Recommendations
1. Immediately restrict Overall/Read permissions in Jenkins to trusted users only, minimizing the attack surface. 2. Monitor and audit the use of credentials IDs within Jenkins to detect any unusual or unauthorized access patterns. 3. Apply security best practices by isolating Jenkins environments and limiting network access to trusted hosts. 4. Once available, promptly apply official patches or updates for the Jenkins OpenTelemetry Plugin to address the missing permission check. 5. Implement multi-factor authentication and credential vaulting solutions to reduce the risk of credential compromise. 6. Conduct regular security reviews of Jenkins plugins and configurations to identify and remediate similar permission issues. 7. Educate DevOps teams about the risks of over-permissioning and the importance of least privilege principles in CI/CD environments.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- jenkins
- Date Reserved
- 2025-09-02T12:44:16.983Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68b85c1aad5a09ad00f7780e
Added to database: 9/3/2025, 3:17:46 PM
Last enriched: 11/4/2025, 10:11:26 PM
Last updated: 1/18/2026, 2:05:49 AM
Views: 127
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1107: Unrestricted Upload in EyouCMS
MediumCVE-2026-1106: Improper Authorization in Chamilo LMS
MediumCVE-2026-1105: SQL Injection in EasyCMS
MediumCVE-2026-1066: Command Injection in kalcaddle kodbox
MediumCVE-2026-1064: Command Injection in bastillion-io Bastillion
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.