CVE-2025-47884: 
Java vulnerability analysis and mitigation

CVE-2025-47884 affects the Jenkins OpenID Connect Provider Plugin versions 96.vee8ed882ec4d and earlier. The vulnerability was discovered and disclosed on May 14, 2025, impacting the plugin's build ID token generation mechanism. This critical vulnerability relates to insufficient validation of claims in the OpenID Connect Provider Plugin, specifically in how it handles environment variables for dynamic content in claim templates (Jenkins Advisory, Wiz).

The vulnerability stems from the plugin's handling of environment variables in claim templates for dynamic content. The default claim template for build ID tokens uses the JOB_URL environment variable for the sub (Subject) claim, but the generation process accepts potentially overridden values of environment variables. When used in conjunction with plugins that allow arbitrary environment variable override (such as the Environment Injector Plugin), this creates a security weakness. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L (Jenkins Advisory, Wiz).

The vulnerability enables attackers with job configuration permissions to craft build ID tokens that can impersonate trusted jobs. This capability could lead to unauthorized access to external services that rely on these tokens for authentication and authorization. The impact is particularly severe in environments where the OpenID Connect Provider Plugin is used for service-to-service authentication (Wiz).

The vulnerability has been fixed in OpenID Connect Provider Plugin version 111.v29fd614b_3617. In this version, the generation of build ID tokens ignores environment variables if they have been overridden. Users are strongly advised to upgrade to this version immediately. The fix prevents the use of overridden environment variables in token generation (Jenkins Advisory, Wiz).