Critical Vulnerability Information 1. OpenID Connect Provider Plugin - Insufficient Claim Validation CVE: SECURITY-3574 / CVE-2025-47884 Severity: Critical Affected Plugin: openid-provider Description: The default build ID token template uses the environment variable, which may be overridden. When other plugins that allow arbitrary environment variable overrides are installed, an attacker can configure a job to generate a build ID token impersonating a trusted job, potentially gaining unauthorized access to external services. 2. Health Advisor by CloudBees Plugin - Stored XSS Vulnerability CVE: SECURITY-3559 / CVE-2025-47885 Severity: High Affected Plugin: cloudbees-jenkins-advisor Description: The plugin in earlier versions does not escape responses from the Jenkins Health Advisor server, leading to a stored cross-site scripting (XSS) vulnerability. An attacker can control the responses from the Jenkins Health Advisor server. 3. Cadence vManager Plugin - CSRF Vulnerability and Missing Authorization Checks CVE: SECURITY-3548 / CVE-2025-47886 (CSRF), CVE-2025-47887 (Missing Authorization Checks) Severity: Medium Affected Plugin: vmanager-plugin Description: In earlier versions, the plugin does not perform authorization checks within method implementations, allowing an attacker with Overall/Read permissions to connect to a specified URL using a specified username and password. Additionally, the form validation method does not require a POST request, resulting in a cross-site request forgery (CSRF) vulnerability. 4. DingTalk Plugin - Unconditional SSL/TLS Certificate Validation Disable CVE: SECURITY-3535 / CVE-2025-47888 Severity: Medium Affected Plugin: dingtalk-notifications Description: In earlier versions, the plugin unconditionally disables SSL/TLS certificate and hostname validation, creating security risks for configured DingTalk Webhook connections. 5. WSO2 OAuth Plugin - Authentication Bypass Vulnerability CVE: SECURITY-3481 / CVE-2025-47889 Severity: Critical Affected Plugin: wso2id-oauth Description: In earlier versions, the plugin accepts unverified authentication claims, allowing an unauthenticated attacker to log in to the controller using any username and password, including non-existent usernames. This results in successful session creation, but the user has no additional permissions. ``` This summary outlines the details of five critical vulnerabilities, including their CVE identifiers, severity levels, affected plugins, and specific descriptions.