cvedb.io
CVE-2025-47884
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2025-05-14T21:15:59.363 · Last modified 2026-06-17T09:28:47.597

Summary

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.

Affected products

jenkins — openid_connect_provider

Does this affect you?

Add your gear to cvedb and we'll alert you only when jenkins ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.