Multiple Jenkins Plugin Vulnerabilities Expose Sensitive Information to Attackers

Jenkins, the widely used open-source automation server, faces heightened security risks after researchers disclosed 11 critical vulnerabilities across its core software and eight plugins.

These flaws expose sensitive data, enable code execution, and allow unauthorized configuration changes.

Key Vulnerabilities and Risks

1. High-Severity Sandbox Bypass (CVE-2025-31722)
   The Templating Engine Plugin (≤2.5.3) allows attackers with Item/Configure permissions to execute arbitrary code on Jenkins controllers through folder-scoped libraries. This vulnerability carries a CVSS score of 9.1.
2. Agent Configuration Leaks (CVE-2025-31720, CVE-2025-31721)
   Jenkins core (≤2.503) lets attackers with Computer/Create permissions steal agent configurations and secrets like API keys or passwords due to missing permission checks.
3. Plaintext Credential Storage
   Plugins like Cadence vManager (CVE-2025-31724), Stack Hammer (CVE-2025-31726), and AsakusaSatellite (CVE-2025-31727/31728) store API keys/passwords unencrypted in job config files.
4. CSRF in Simple Queue Plugin (CVE-2025-31723)
   Attackers manipulate build queues via forged requests.

Affected Products and CVEs

Affected Product	CVE IDs	Severity	Affected Versions	Fixed Version
Jenkins Core	CVE-2025-31720	Medium	≤2.503 (Weekly), ≤2.492.2 (LTS)	2.504 (Weekly), 2.492.3 (LTS)
Jenkins Core	CVE-2025-31721	Medium	≤2.503 (Weekly), ≤2.492.2 (LTS)	2.504 (Weekly), 2.492.3 (LTS)
Templating Engine Plugin	CVE-2025-31722	High	≤2.5.3	2.5.4
Simple Queue Plugin	CVE-2025-31723	Medium	≤1.4.6	1.4.7
Cadence vManager Plugin	CVE-2025-31724	Medium	≤4.0.0-282.v5096a_c2db_275	4.0.1-286.v9e25a_740b_a_48
monitor-remote-job Plugin	CVE-2025-31725	Medium	≤1.0	None (Unfixed)
Stack Hammer Plugin	CVE-2025-31726	Medium	≤1.0.6	None (Unfixed)
AsakusaSatellite Plugin	CVE-2025-31727/31728	Medium	≤0.1.1	None (Unfixed)

Mitigation Steps

1. Update Immediately:
   • Upgrade Jenkins weekly to 2.504 or LTS to 2.492.3.
   • Patch plugins like Templating Engine (2.5.4) and Simple Queue (1.4.7).
2. Restrict Permissions:
   Limit Computer/Create and Item/Configure access to minimize attack surfaces.
3. Monitor Unfixed Plugins:
   For monitor-remote-job, Stack Hammer, and AsakusaSatellite, restrict file system access to config.xml files until patches arrive.
4. Audit Logs:
   Check for unauthorized queue changes or unexpected agent configurations.

Jenkins has not yet provided fixes for three plugins, urging administrators to disable non-essential functionalities.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!