CVE-2025-13472

MEDIUM

BlazeMeter Jenkins Plugin < 4.27 - Missing Authorization for Resource List Access

Title source: llm

Description

A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.

References (1)

Core 1

Core References

Various Sources

https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin

Scores

CVSS v4 5.3

EPSS 0.0021

EPSS Percentile 11.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

com.blazemeter.plugins/BlazeMeterJenkinsPlugin 0 - 4.27Maven

Perforce/BlazeMeter < 4.27

Published Dec 03, 2025

Tracked Since Feb 18, 2026