Jenkins Security Advisory: Permission Bypass, Sandbox Escape, and Plaintext Storage Vulnerabilities

Critical Vulnerability Information Vulnerability Overview Announcement Date: 2025-04-02 Affected Jenkins Versions: - Jenkins (core) - AsakusaSatellite Plugin - Cadence vManager Plugin - monitor-remote-job Plugin - Simple Queue Plugin - Stack Hammer Plugin - Templating Engine Plugin Vulnerability Details 1. Missing permission check allows retrieving agent configurations - CVE: SECURITY-3512 / CVE-2025-31720 - Severity: Medium - Description: Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy agents and access their configurations. 2. Missing permission check allows retrieving secrets from agent configurations - CVE: SECURITY-3513 / CVE-2025-31721 - Severity: Medium - Description: Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy agents containing secrets. 3. Script Security sandbox bypass vulnerability through folder-scoped libraries in Templating Engine Plugin - CVE: SECURITY-3505 / CVE-2025-31722 - Severity: High - Affected Plugin: templating-engine - Description: In Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not sandbox-protected. This allows attackers with Item/Configure permission to execute arbitrary code. 4. CSRF vulnerability in Simple Queue Plugin - CVE: SECURITY-3469 / CVE-2025-31723 - Severity: Medium - Affected Plugin: simple-queue - Description: Simple Queue Plugin 1.4.6 and earlier do not require POST requests for multiple HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. 5. API keys stored in plain text by Cadence vManager Plugin - CVE: SECURITY-3537 / CVE-2025-31724 - Severity: Medium - Affected Plugin: vmanager-plugin - Description: Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier store Verisium Manager vAPI keys in plain text in job config.xml files. 6. Passwords stored in plain text by monitor-remote-job Plugin - CVE: SECURITY-3539 / CVE-2025-31725 - Severity: Medium - Affected Plugin: monitor-remote-job - Description: monitor-remote-job Plugin 1.0 stores passwords in plain text in job config.xml files. 7. API keys stored in plain text by Stack Hammer Plugin - CVE: SECURITY-3520 / CVE-2025-31726 - Severity: Medium - Affected Plugin: stackhammer - Description: Stack Hammer Plugin 1.0.0 and earlier store Stack Hammer API keys in plain text in job config.xml files. 8. API keys stored and displayed in plain text by AsakusaSatellite Plugin - CVE: SECURITY-3523 / CVE-2025-31727 (storage), CVE-2025-31728 (masking) - Severity: Medium - Affected Plugin: asakusa-satellite-plugin - Description: AsakusaSatellite Plugin 0.1.1 and earlier store AsakusaSatellite API keys in plain text in job config.xml files, and the job configuration form does not mask these API keys. Remediation Recommendations Update Jenkins weekly to version 2.504. Update Jenkins LTS to version 2.492.3. Update Cadence vManager Plugin to version 4.0.1-286.v9e25a_740b_a_48. Update Simple Queue Plugin to version 1.4.7. Update Templating Engine Plugin to version 2.5.4.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Permission Bypass, Sandbox Escape, and Plaintext Storage Vulnerabilities