Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN841 _____________________________________________________________________ DATE : 11/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins (core), BlazeMeter Plugin, Coverage Plugin, Git client Plugin, HashiCorp Vault Plugin, Redpen - Pipeline Reporter for Jira Plugin. ===================================================================== https://www.jenkins.io/security/advisory/2025-12-10/ _____________________________________________________________________ Jenkins Security Advisory 2025-12-10 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) BlazeMeter Plugin Coverage Plugin Git client Plugin HashiCorp Vault Plugin Redpen - Pipeline Reporter for Jira Plugin Descriptions Denial of service vulnerability in HTTP-based CLI SECURITY-3630 / CVE-2025-67635 Severity (CVSS): High Description: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling threads waiting indefinitely. Jenkins 2.541, LTS 2.528.3 properly closes HTTP-based CLI connections when the connection stream becomes corrupted. Missing permission check on password fields SECURITY-1809 / CVE-2025-67636 Severity (CVSS): Medium Description: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views. This allows attackers with View/Read permission to view encrypted password values in views. The regular view configuration form requires View/Configure permission to access. This vulnerability requires that a plugin implements a page for a view that shows a password field without performing a View/Configure permission check, and does not set the readOnlyMode variable introduced to support JEP-224. As of the publication of this advisory, the Jenkins security team is not aware of any exploitable implementation. Jenkins 2.541, LTS 2.528.3 requires View/Configure permission to view encrypted password values in views. In case of problems, administrators can disable this security fix by setting the system property hudson.Functions.nonRecursivePasswordMaskingPermissionCheck to true. Build authorization token stored and displayed in plain text SECURITY-783 / CVE-2025-67637 (storage), CVE-2025-67638 (masking) Severity (CVSS): Medium Description: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. Jenkins 2.541, LTS 2.528.3 masks build authorization tokens displayed on the configuration form, and stores them encrypted once job configurations are saved again. All affected job configurations can be migrated to the new (encrypted) format at once. Navigate to Manage Jenkins » Manage Old Data and choose Upgrade in the section Old Data Format. CSRF vulnerability on the login form SECURITY-1166 / CVE-2025-67639 Severity (CVSS): Low Description: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery (CSRF) token (crumb) for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to trick users into logging in to the attacker’s account. Jenkins 2.541, LTS 2.528.3 validates CSRF tokens when processing login requests. In case of problems, administrators can disable this security fix by setting the system property hudson.security.AuthenticationProcessingFilter2.skipCSRFCheck to true. OS command injection vulnerability on agents in Git client Plugin SECURITY-3614 / CVE-2025-67640 Severity (CVSS): Medium Affected plugin: git-client Description: Git client Plugin generates temporary script files to provide credentials (e.g., SSH_ASKPASS). In Git client Plugin 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the workspace directory name to inject arbitrary OS commands. This vulnerability only has an impact when attackers can control working directories (e.g., the argument to the dir(…) Pipeline step) while not being able to control the Pipeline itself or the programs or build scripts it executes. Git client Plugin 6.4.1 passes the workspace directory path as an environment variable to the script, preventing command injection. Stored XSS vulnerability in Coverage Plugin SECURITY-3611 / CVE-2025-67641 Severity (CVSS): High Affected plugin: coverage Description: Coverage Plugin uses coverage results IDs to create the links to coverage results on the Jenkins UI. Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability. This vulnerability is not exploitable on Jenkins 2.539 or newer with Content Security Policy protection enforced. Coverage Plugin 2.3056.v1dfe888b_0249 validates coverage results IDs when creating coverage results, ensuring no result is created with a javascript: scheme URL as identifier. Additionally, the plugin will refuse to load any existing coverage results with invalid identifiers. Exposure of system-scoped Vault credentials in HashiCorp Vault Plugin SECURITY-3045 / CVE-2025-67642 Severity (CVSS): Medium Affected plugin: hashicorp-vault-plugin Description: HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. As of publication of this advisory, there is no fix. Learn why we announce this. Missing permission check in BlazeMeter Plugin allows enumerating credentials IDs SECURITY-3091 / CVE-2025-13472 Severity (CVSS): Medium Affected plugin: BlazeMeterJenkinsPlugin Description: BlazeMeter Plugin 4.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in BlazeMeter Plugin 4.27 requires the appropriate permissions. Path traversal vulnerability in Redpen - Pipeline Reporter for Jira Plugin SECURITY-3290 / CVE-2025-67643 Severity (CVSS): Medium Affected plugin: pipeline-reporter-by-redpen Description: Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, Redpen - Pipeline Reporter for Jira Plugin does not support distributed builds, causing artifact uploads to occur from the Jenkins controller rather than from the agent executing the build. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory. As of publication of this advisory, there is no fix. Learn why we announce this. Severity SECURITY-783: Medium SECURITY-1166: Low SECURITY-1809: Medium SECURITY-3045: Medium SECURITY-3091: Medium SECURITY-3290: Medium SECURITY-3611: High SECURITY-3614: Medium SECURITY-3630: High Affected Versions Jenkins weekly up to and including 2.540 Jenkins LTS up to and including 2.528.2 BlazeMeter Plugin up to and including 4.26 Coverage Plugin up to and including 2.3054.ve1ff7b_a_a_123b_ Git client Plugin up to and including 6.4.0 HashiCorp Vault Plugin up to and including 371.v884a_4dd60fb_6 Redpen - Pipeline Reporter for Jira Plugin up to and including 1.054.v7b_9517b_6b_202 Fix Jenkins weekly should be updated to version 2.541 Jenkins LTS should be updated to version 2.528.3 BlazeMeter Plugin should be updated to version 4.27 Coverage Plugin should be updated to version 2.3056.v1dfe888b_0249 Git client Plugin should be updated to version 6.4.1 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: HashiCorp Vault Plugin Redpen - Pipeline Reporter for Jira Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Camilo Vera Vidales (https://www.linkedin.com/in/camilo-vera-vidales/) for SECURITY-3630 Daniel Beck, CloudBees, Inc. for SECURITY-1809 James Nord, CloudBees, Inc. for SECURITY-783 Kevin Guerroudj, CloudBees, Inc. for SECURITY-3611 Paul Walker, Ascension Health for SECURITY-3045 Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3290 Yaroslav Afenkin, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc. for SECURITY-3091 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================