Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated

Jenkins global-build-stats Plugin 322.v22f4db18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. This has been patched in version 347.v32aeb0493c4f...

CVE-2025-58459

The CVE concerns Jenkins global-build-stats Plugin, affected versions 322.v22f4db_18e2dd and earlier, which do not perform permission checks in REST API endpoints. This allows attackers with Overall/Read permissions to enumerate graph IDs, indicating a disclosure/enumeration risk without exploita...