GHSA-fxp5-37mh-vff5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fxp5-37mh-vff5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-fxp5-37mh-vff5/GHSA-fxp5-37mh-vff5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fxp5-37mh-vff5
- Aliases
-
- CVE-2025-13472
- Published
- 2025-12-03T09:31:13Z
- Modified
- 2025-12-03T20:24:50.270441Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources
- Details
-
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.
- Database specific
{ "severity": "MODERATE", "nvd_published_at": "2025-12-03T09:15:47Z", "github_reviewed_at": "2025-12-03T19:10:31Z", "cwe_ids": [ "CWE-862" ], "github_reviewed": true }- References
Affected packages
Maven / com.blazemeter.plugins:BlazeMeterJenkinsPlugin
Package
- Name
- com.blazemeter.plugins:BlazeMeterJenkinsPlugin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.blazemeter.plugins/BlazeMeterJenkinsPlugin
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.27
Affected versions
1.*
1.0-beta-1
1.01-beta-2
1.02-beta-3
1.04-beta-1
1.05-beta-1
1.06-beta-1
1.07-beta-1
1.08-beta-1
2.*
2.0
2.1
2.2
2.2.1
2.3
2.4
2.5
2.5.2
2.6
2.7
2.8
3.*
3.0
3.1
4.*
4.0
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26