CVE-2025-47889

Name of the Vulnerable Software and Affected Versions Jenkins WSO2 Oauth Plugin versions 1.0 and earlier

Description The issue allows unauthenticated attackers to log in to controllers using the "WSO2 Oauth" security realm with any username and any password, including usernames that do not exist, due to authentication claims being accepted without validation. It is estimated that over 720,000 Jenkins instances are exposed to the internet, potentially affected by this issue.

Recommendations For Jenkins WSO2 Oauth Plugin versions 1.0 and earlier, consider disabling the "WSO2 Oauth" security realm until a patch is available to prevent unauthenticated access. Restrict access to controllers using this security realm to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.