Jenkins Plugin Vulnerabilities: Info Leak, SMTP Injection, Privilege Escalation (CVE-2025-58458/7962/58459/58460)

Critical Vulnerability Information 1. Git client Plugin File System Information Disclosure Vulnerability CVE: CVE-2025-58458 Severity: Medium (CVSS: Medium) Affected Plugin: git-client Description: Git client Plugin versions 6.3.2 and earlier allow the use of the experimental protocol with the bundled Git library. This protocol authenticates files based on content derived from file paths, which are provided as part of the URL's authority section. Impact: Attackers can check whether specified file paths exist in the Jenkins controller's file system. 2. Jakarta Mail API Plugin SMTP Command Injection Vulnerability CVE: CVE-2025-7962 Severity: Medium (CVSS: Medium) Affected Plugin: jakarta-mail-api Description: Jakarta Mail API Plugin versions 2.1.3-2 and earlier bundle a version of Angus Mail that is vulnerable to CVE-2025-7962. Impact: Attackers can control the recipient email address for emails sent by Jenkins and send emails with arbitrary content to any recipient. 3. global-build-stats Plugin Missing Permission Check Leading to Graph ID Enumeration CVE: CVE-2025-58459 Severity: Medium (CVSS: Medium) Affected Plugin: global-build-stats Description: global-build-stats Plugin versions 3.22.v22f4db_18e2dd and earlier do not perform permission checks on their REST API endpoints. Impact: Attackers with Overall/Read permissions can enumerate graph IDs and access those graphs. 4. OpenTelemetry Plugin Missing Permission Check Leading to Credential Capture CVE: CVE-2025-58460 Severity: Medium (CVSS: Medium) Affected Plugin: opentelemetry Description: OpenTelemetry Plugin versions 3.1543.v8446b_92b_c6d6 and earlier do not perform permission checks in methods implementing form validation. Impact: Attackers with Overall/Read permissions can connect to a connection via an attacker-specified URL and capture credentials stored in Jenkins. Remediation Recommendations Upgrade Git client Plugin to version 6.3.3 Upgrade global-build-stats Plugin to version 3.47.v32a_eb_0493c4f Upgrade Jakarta Mail API Plugin to version 2.1.3-3 Upgrade OpenTelemetry Plugin to version 3.1543.1545.vf5a_4ec123769

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Vulnerabilities: Info Leak, SMTP Injection, Privilege Escalation (CVE-2025-58458/7962/58459/58460)