CVE-2025-24401: Disabled permissions can be granted by Folder-based in Jenkins Authorization Strategy Plugin

January 22, 2025

Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they’re no longer entitled to.

References

github.com/advisories/GHSA-969g-rq57-c79h
github.com/jenkinsci/folder-auth-plugin
nvd.nist.gov/vuln/detail/CVE-2025-24401
www.jenkins.io/security/advisory/2025-01-22/

Code Behaviors & Features

Detect and mitigate CVE-2025-24401 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →