CVE-2025-59475: 
Java vulnerability analysis and mitigation

CVE-2025-59475 is a security vulnerability discovered in Jenkins affecting versions 2.527 and earlier, and LTS 2.516.2 and earlier. The vulnerability stems from a missing permission check in the authenticated user profile dropdown menu. This security flaw was discovered by Daniel Beck from CloudBees, Inc. and was publicly disclosed on September 17, 2025 (Jenkins Advisory).

The vulnerability has been assigned a Medium severity rating with a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). It is classified under CWE-862 (Missing Authorization). The technical issue involves the authenticated user profile dropdown menu lacking proper permission validation mechanisms, which should normally restrict access based on user privileges (Red Hat).

The vulnerability allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration. Specifically, attackers can enumerate installed plugins and configuration details by listing available options in the user profile dropdown menu, such as determining whether the Credentials Plugin is installed (Jenkins Advisory, Cybersecurity News).

The vulnerability has been fixed in Jenkins weekly version 2.528 and LTS version 2.516.3. The fix implements proper permission checks requiring Overall/Read permission to list various items in authenticated user profile dropdown menus. Administrators are strongly advised to upgrade to these versions or newer to address this security issue (Jenkins Advisory).