CVE-2025-64132: Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
(updated )
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.
This allows to do the following:
Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (
getJobScm).Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (
triggerBuild).Attackers without Overall/Read permission can retrieve the names of configured clouds (
getStatus).
MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-64132 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →