Multiple Jenkins Plugin Vulnerabilities Expose Sensitive Information to Attackers

Jenkins, the widely used open-source automation server, faces heightened security risks after researchers disclosed 11 critical vulnerabilities across its core software and eight plugins.

These flaws expose sensitive data, enable code execution, and allow unauthorized configuration changes.

Key Vulnerabilities and Risks

1. High-Severity Sandbox Bypass (CVE-2025-31722)
   The Templating Engine Plugin (≤2.5.3) allows attackers with Item/Configure permissions to execute arbitrary code on Jenkins controllers through folder-scoped libraries. This vulnerability carries a CVSS score of 9.1.
2. Agent Configuration Leaks (CVE-2025-31720, CVE-2025-31721)
   Jenkins core (≤2.503) lets attackers with Computer/Create permissions steal agent configurations and secrets like API keys or passwords due to missing permission checks.
3. Plaintext Credential Storage
   Plugins like Cadence vManager (CVE-2025-31724), Stack Hammer (CVE-2025-31726), and AsakusaSatellite (CVE-2025-31727/31728) store API keys/passwords unencrypted in job config files.
4. CSRF in Simple Queue Plugin (CVE-2025-31723)
   Attackers manipulate build queues via forged requests.

Affected Products and CVEs

Mitigation Steps

1. Update Immediately:
   • Upgrade Jenkins weekly to 2.504 or LTS to 2.492.3.
   • Patch plugins like Templating Engine (2.5.4) and Simple Queue (1.4.7).
2. Restrict Permissions:
   Limit Computer/Create and Item/Configure access to minimize attack surfaces.
3. Monitor Unfixed Plugins:
   For monitor-remote-job, Stack Hammer, and AsakusaSatellite, restrict file system access to config.xml files until patches arrive.
4. Audit Logs:
   Check for unauthorized queue changes or unexpected agent configurations.

Jenkins has not yet provided fixes for three plugins, urging administrators to disable non-essential functionalities.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!