Jenkins WSO2 Oauth Plugin Authentication Bypass Vulnerability

Vulnerability

An authentication bypass vulnerability has been identified in the WSO2 Oauth Plugin for Jenkins, affecting version 1.0 and earlier. The vulnerability arises because the 'WSO2 Oauth' security realm accepts authentication claims without proper validation. This flaw allows unauthenticated attackers to log in to controllers using any username and password, including those of non-existent users. Sessions created through this vulnerability lack any group memberships or additional authorities, although the impact may vary depending on the configured authorization strategy.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to gain unauthorized access to Jenkins controllers, potentially with elevated permissions, depending on the authorization strategy in use.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins WSO2 Oauth Plugin Authentication Bypass Vulnerability

Vulnerability

Impact

Affected Products

Jenkins WSO2 Oauth Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating