GHSA-q7c3-x7hm-qq72 · Severity: critical · Ecosystem: maven — Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens
In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.
Conclusion & alert: CVE-2025-47884 is rated Moderate Risk (51.1/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.58%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.93% | 0.58% | -0.35% |
| 2 | 2026-03-10 | 0.30% | 0.93% | +0.63% |
| 3 | 2026-01-28 | — | 0.30% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.1 | 3.1 | CRITICAL |
|
3.1 | 5.3 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-q7c3-x7hm-qq72 · Severity: critical · Ecosystem: maven — Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2025-47884: 1 source package rows (jenkins); 33 state rows across 3 repos (3.22-community, 3.23-community, edge-community); fixed 0, open 33. | https://security.alpinelinux.org/vuln/CVE-2025-47884 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| jenkins | openid_connect_provider | <= 96.vee8ed882ec4d | cpe:2.3:a:jenkins:openid_connect_provider:*:*:*:*:*:jenkins:*:* |
| URL | Tags |
|---|---|
| https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3574 | Vendor Advisory |