Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKG2iZhP6ZSrAezY+98AAU6foE5Ed7bV5B1q1u3XeGNmYfiLEQ@mail.gmail.com>
Date: Wed, 10 Dec 2025 16:43:44 +0100
From: Kevin Guerroudj <kguerroudj@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.541
* Jenkins LTS 2.528.3
* BlazeMeter Plugin 4.27
* Coverage Plugin 2.3056.v1dfe888b_0249
* Git client Plugin 6.4.1

Additionally, we announce unresolved security issues in the following
plugins:

* HashiCorp Vault Plugin
* Redpen - Pipeline Reporter for Jira Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-12-10/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3630 / CVE-2025-67635
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close
HTTP-based CLI connections when the connection stream becomes corrupted.

This allows unauthenticated attackers to cause a denial of service by
creating HTTP-based CLI connection requests, resulting in request-handling
threads waiting indefinitely.


SECURITY-1809 / CVE-2025-67636
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a
permission check to determine whether a password field should be redacted
in views.

This allows attackers with View/Read permission to view encrypted password
values in views.

NOTE: The regular view configuration form requires View/Configure
permission to access. This vulnerability requires that a plugin implements
a page for a view that shows a password field without performing a
View/Configure permission check, and does not set the `readOnlyMode`
variable introduced to support JEP-224. As of the publication of this
advisory, the Jenkins security team is not aware of any exploitable
implementation.


SECURITY-783 / CVE-2025-67637 (storage) & CVE-2025-67638 (masking)
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build
authorization tokens unencrypted in job `config.xml` files on the Jenkins
controller.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens,
increasing the potential for attackers to observe and capture them.


SECURITY-1166 / CVE-2025-67639
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a
cross-site request forgery (CSRF) token (crumb) for the URL handling
interactive login HTTP requests, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to trick users into logging in to the
attacker's account.


SECURITY-3614 / CVE-2025-67640
Git client Plugin generates temporary script files to provide credentials
(e.g., `SSH_ASKPASS`).

In Git client Plugin 6.4.0 and earlier, these script files contain the path
to the workspace directory as part of a command argument. This argument is
not correctly escaped, allowing attackers able to control the workspace
directory name to inject arbitrary OS commands.

NOTE: This vulnerability only has an impact when attackers can control
working directories (e.g., the argument to the `dir(…)` Pipeline step)
while not being able to control the Pipeline itself or the programs or
build scripts it executes.


SECURITY-3611 / CVE-2025-67641
Coverage Plugin uses coverage results IDs to create the links to coverage
results on the Jenkins UI.

Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the
configured coverage results ID when creating coverage results, only when
submitting the job configuration through the UI. This allows attackers with
Item/Configure permission to use a `javascript:` scheme URL as identifier
by configuring the job through the REST API, resulting in a stored
cross-site scripting (XSS) vulnerability.

NOTE: This vulnerability is not exploitable on Jenkins 2.539 or newer with
Content Security Policy protection enforced.


SECURITY-3045 / CVE-2025-67642
HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the
appropriate context for Vault credentials lookup, allowing the use of
System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and
potentially capture Vault credentials they are not entitled to.

As of publication of this advisory, there is no fix.


SECURITY-3091 / CVE-2025-13472
BlazeMeter Plugin 4.26 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-3290 / CVE-2025-67643
Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and
earlier does not correctly perform path validation of the workspace
directory while uploading artifacts to Jira.

Additionally, Redpen - Pipeline Reporter for Jira Plugin does not support
distributed builds, causing artifact uploads to occur from the Jenkins
controller rather than from the agent executing the build.

This results in a path traversal vulnerability, allowing attackers with
Item/Configure permission to retrieve files present on the Jenkins
controller workspace directory.

As of publication of this advisory, there is no fix.

-- 
CONFIDENTIALITY NOTICE:_ This email and any attachments contain 
confidential and proprietary information of CloudBees intended only for the 
named recipient(s). Unauthorized use or distribution is prohibited. If you 
received this in error, please notify the sender and delete this email._

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.