Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN742 _____________________________________________________________________ DATE : 29/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins plugins. ===================================================================== https://www.jenkins.io/security/advisory/2025-10-29/ _____________________________________________________________________ Jenkins Security Advisory 2025-10-29 This advisory announces vulnerabilities in the following Jenkins deliverables: azure-cli Plugin ByteGuard Build Actions Plugin Curseforge Publisher Plugin Eggplant Runner Plugin Extensible Choice Parameter Plugin JDepend Plugin MCP Server Plugin Nexus Task Runner Plugin OpenShift Pipeline Plugin Publish to Bitbucket Plugin SAML Plugin Start Windocks Containers Plugin Themis Plugin Descriptions Replay vulnerability in SAML Plugin SECURITY-3613 / CVE-2025-64131 Severity (CVSS): High Affected plugin: saml Description: SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user’s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. SAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests. Missing permission checks in MCP Server Plugin SECURITY-3622 / CVE-2025-64132 Severity (CVSS): Medium Affected plugin: mcp-server Description: MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (getJobScm). Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (triggerBuild). Attackers without Overall/Read permission can retrieve the names of configured clouds (getStatus). MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools. CSRF vulnerability in Extensible Choice Parameter Plugin SECURITY-3583 / CVE-2025-64133 Severity (CVSS): Medium Affected plugin: extensible-choice-parameter Description: Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute sandboxed Groovy code. As of publication of this advisory, there is no fix. Learn why we announce this. XXE vulnerability in JDepend Plugin SECURITY-2936 / CVE-2025-64134 Severity (CVSS): High Affected plugin: jdepend Description: JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. Learn why we announce this. Java protection mechanism disabled in Eggplant Runner Plugin SECURITY-3326 / CVE-2025-64135 Severity (CVSS): Medium Affected plugin: eggplant-runner Description: Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables a protection mechanism of the Java runtime addressing CVE-2016-5597. As of publication of this advisory, there is no fix. Learn why we announce this. CSRF vulnerability and missing permission check in Themis Plugin SECURITY-3517 / CVE-2025-64136 (CSRF), CVE-2025-64137 (permission check) Severity (CVSS): Medium Affected plugin: themis Description: Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. CSRF vulnerability and missing permission check in Start Windocks Containers Plugin SECURITY-3531 / CVE-2025-64138 (CSRF), CVE-2025-64139 (permission check) Severity (CVSS): Medium Affected plugin: windocks-start-container Description: Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. Shell command injection vulnerability in azure-cli Plugin SECURITY-3538 / CVE-2025-64140 Severity (CVSS): High Affected plugin: azure-cli Description: azure-cli Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this. CSRF vulnerability and missing permission checks in Nexus Task Runner Plugin SECURITY-3550 / CVE-2025-64141 (CSRF), CVE-2025-64142 (permission check) Severity (CVSS): Medium Affected plugin: nexus-task-runner Description: Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. Authorization Token stored in plain text by OpenShift Pipeline Plugin SECURITY-3553 / CVE-2025-64143 Severity (CVSS): Medium Affected plugin: openshift-pipeline Description: OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These token can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we announce this. API tokens stored in plain text by ByteGuard Build Actions Plugin SECURITY-3560 / CVE-2025-64144 (storage), CVE-2025-64145 (masking) Severity (CVSS): Medium Affected plugin: byteguard-build-actions Description: ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix. Learn why we announce this. API Keys stored in plain text by Curseforge Publisher Plugin SECURITY-3562 / CVE-2025-64146 (storage), CVE-2025-64147 (masking) Severity (CVSS): Medium Affected plugin: curseforge-publisher Description: Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix. Learn why we announce this. Missing permission check in Publish to Bitbucket Plugin allows enumerating credentials IDs SECURITY-3570 / CVE-2025-64148 Severity (CVSS): Medium Affected plugin: publish-to-bitbucket Description: Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. CSRF vulnerability and missing permission check in Publish to Bitbucket Plugin SECURITY-3576 / CVE-2025-64149 (CSRF), CVE-2025-64150 (permission check) Severity (CVSS): Medium Affected plugin: publish-to-bitbucket Description: Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. Severity SECURITY-2936: High SECURITY-3326: Medium SECURITY-3517: Medium SECURITY-3531: Medium SECURITY-3538: High SECURITY-3550: Medium SECURITY-3553: Medium SECURITY-3560: Medium SECURITY-3562: Medium SECURITY-3570: Medium SECURITY-3576: Medium SECURITY-3583: Medium SECURITY-3613: High SECURITY-3622: Medium Affected Versions azure-cli Plugin up to and including 0.9 ByteGuard Build Actions Plugin up to and including 1.0 Curseforge Publisher Plugin up to and including 1.0 Eggplant Runner Plugin up to and including 0.0.1.301.v963cffe8ddb_8 Extensible Choice Parameter Plugin up to and including 239.v5f5c278708cf JDepend Plugin up to and including 1.3.1 MCP Server Plugin up to and including 0.84.v50ca_24ef83f2 Nexus Task Runner Plugin up to and including 0.9.2 OpenShift Pipeline Plugin up to and including 1.0.57 Publish to Bitbucket Plugin up to and including 0.4 SAML Plugin up to and including 4.583.vc68232f7018a_ Start Windocks Containers Plugin up to and including 1.4 Themis Plugin up to and including 1.4.1 Fix MCP Server Plugin should be updated to version 0.86.v7d3355e6a_a_18 SAML Plugin should be updated to version 4.583.585.v22ccc1139f55 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: azure-cli Plugin ByteGuard Build Actions Plugin Curseforge Publisher Plugin Eggplant Runner Plugin Extensible Choice Parameter Plugin JDepend Plugin Nexus Task Runner Plugin OpenShift Pipeline Plugin Publish to Bitbucket Plugin Start Windocks Containers Plugin Themis Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Aris ISSAD, Aix Marseille University for SECURITY-3550 CC Bomber, Kitri BoB for SECURITY-2936 Daniel Beck, CloudBees, Inc. for SECURITY-3576 Denys Digtiar, CloudBees, Inc. for SECURITY-3613 Hamadache Mohamed, Aix Marseille University for SECURITY-3560, SECURITY-3562 Kevin Guerroudj, CloudBees, Inc. for SECURITY-3622 Lotfi Yahi, Aix Marseille University for SECURITY-3531, SECURITY-3570, SECURITY-3583 Pierre Beitz, CloudBees, Inc. for SECURITY-3326 Romuald Moisan, Aix Marseille University for SECURITY-3553 Romuald Moisan, Aix Marseille University, and Vincent Lardet, Aix Marseille University for SECURITY-3517 Said Abdesslem Messadi, Aix Marseille University for SECURITY-3538 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================