CVE-2025-24403

Name of the Vulnerable Software and Affected Versions Jenkins Azure Service Fabric Plugin versions 1.6 and earlier

Description A missing permission check in the Jenkins Azure Service Fabric Plugin allows attackers with Overall/Read permission to enumerate the IDs of Azure credentials stored in Jenkins. This issue can be exploited by attackers to potentially capture the credentials using another vulnerability. The affected plugin does not perform permission checks in several HTTP endpoints, making it possible for attackers to enumerate credentials IDs.

Recommendations For Jenkins Azure Service Fabric Plugin versions 1.6 and earlier, consider disabling the plugin until a patch is available to prevent attackers from enumerating credentials IDs of Azure credentials stored in Jenkins. As a temporary workaround, restrict access to the plugin's HTTP endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.