GHSA-mrpq-9jr3-rqq9

Suggest an improvement
Source
https://github.com/advisories/GHSA-mrpq-9jr3-rqq9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-mrpq-9jr3-rqq9/GHSA-mrpq-9jr3-rqq9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mrpq-9jr3-rqq9
Aliases
  • CVE-2025-64132
Published
2025-10-29T15:31:56Z
Modified
2025-10-29T19:12:46.870658Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
Details

Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.

This allows to do the following:

  • Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (getJobScm).

  • Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (triggerBuild).

  • Attackers without Overall/Read permission can retrieve the names of configured clouds (getStatus).

MCP Server Plugin 0.86.v7d3355e6aa18 performs permission checks for the affected MCP tools.

Database specific 
{
    "nvd_published_at": "2025-10-29T14:15:57Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-29T18:52:20Z"
}
References

Affected packages

Maven / io.jenkins.plugins:mcp-server

Package

Name
io.jenkins.plugins:mcp-server
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/mcp-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.86.v7d3355e6a

Affected versions

0.*

0.16.vc9132432728d
0.17.v941ed9da_c023
0.25.v59ca_c2d5ffc5
0.26.v4a_0d810a_7f71
0.27.v4034b_d4c4cb_5
0.33.vecd845512255
0.34.v9f214cb_76168
0.35.v03801a_87ff6d
0.37.v5d2d8c089e8b_
0.41.vdd84b_1430491
0.46.v43ff45cf7fe5
0.57.vc17d46a_5d10b_
0.77.veb_c7b_a_b_f0445
0.84.v50ca_24ef83f2