Vulnerability

CERT-In Vulnerability Note CIVN-2025-0073
Multiple Vulnerabilities in Jenkins

Original Issue Date:April 09, 2025

Severity Rating: HIGH

Software Affected

Jenkins weekly versions 2.503 and prior
Jenkins LTS versions 2.492.2 and prior
AsakusaSatellite Plugin versions 0.1.1 and prior
Cadence vManager Plugin versions 4.0.0-282.v5096a_c2db_275 and prior
monitor-remote-job Plugin versions 1.0 prior
Simple Queue Plugin versions 1.4.6 prior
Stack Hammer Plugin versions 1.0.6 prior
Templating Engine Plugin versions 2.5.3 prior

Overview

Multiple vulnerabilities have been reported in Jenkins and several Jenkins plugins, which could allow remote attackers to perform cross-site request forgery (CSRF), gain unauthorized access to sensitive information, bypass security restrictions, or execute arbitrary code on affected systems.

Target Audience:
All organizations and individuals using Jenkins.

Impact Assessment:
Potential for Cross-site request forgery (CSRF) attacks, Sensitive information disclosure, and Open redirect vulnerabilities leading to phishing attacks.

Description

Jenkins is an open-source automation server used for continuous integration (CI) and continuous delivery (CD), enabling developers to build, test, and deploy applications efficiently.

These vulnerabilities exist in Jenkins due to missing permission checks in Jenkins core allowing attackers with Agent/Create permission to copy agents and access sensitive configuration data, a Script Security sandbox bypass vulnerability through folder-scoped libraries in the Templating Engine Plugin, a CSRF vulnerability in the Simple Queue Plugin, storage of API keys in plaintext by the Cadence vManager Plugin, Stack Hammer Plugin, and AsakusaSatellite Plugin, and storage of passwords in plaintext by the monitor-remote-job Plugin.

Successful exploitation of these vulnerabilities could allow could allow remote attackers to perform cross-site request forgery (CSRF), gain unauthorized access to sensitive information, bypass security restrictions, or execute arbitrary code on affected systems.

Solution

Apply appropriate updates as mentioned in Jenkins advisory:
https://www.jenkins.io/security/advisory/2025-04-02/

Vendor Information

Jenkins
https://www.jenkins.io/security/advisory/2025-04-02/

References

Jenkins
https://www.jenkins.io/security/advisory/2025-04-02/

CVE Name
CVE-2025-31720
CVE-2025-31721
CVE-2025-31722
CVE-2025-31723
CVE-2025-31724
CVE-2025-31725
CVE-2025-31726
CVE-2025-31727

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India