Jenkins Multiple Plugin Vulnerabilities: Privilege Escalation, Sandbox Bypass, and Plaintext Secrets (CVE-2025-31720 to 31728)

Critical Vulnerability Information 1. Missing Permission Check Allows Retrieval of Agent Configuration CVE: CVE-2025-31720 Severity: Medium (CVSS: Medium) Description: Jenkins versions 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy agents and access their configuration. 2. Missing Permission Check Allows Retrieval of Secrets from Agent Configuration CVE: CVE-2025-31721 Severity: Medium (CVSS: Medium) Description: Jenkins versions 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Configure permission to copy agents containing secrets. 3. Script Security Sandbox Bypass via Folder-scoped Libraries in Templating Engine Plugin CVE: CVE-2025-31722 Severity: High (CVSS: High) Affected Plugin: templating-engine Description: The templating-engine plugin allows libraries to be defined in global configuration and within folders. Libraries defined in global configuration can only be set by administrators and are thus trusted, while libraries defined in folders can be configured by users with Item/Configure permission. In templating-engine plugin versions 2.5.3 and earlier, libraries defined in folders are not sandbox-protected. This allows attackers with Item/Configure permission to execute arbitrary code. 4. CSRF Vulnerability in Simple Queue Plugin CVE: CVE-2025-31723 Severity: Medium (CVSS: Medium) Affected Plugin: simple-queue Description: Simple Queue plugin versions 1.4.6 and earlier do not require POST requests for multiple HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. These vulnerabilities allow attackers to modify and reset the build queue order. 5. Cadence vManager Plugin Stores API Key in Plaintext CVE: CVE-2025-31724 Severity: Medium (CVSS: Medium) Affected Plugin: vmanager-plugin Description: Cadence vManager plugin versions 4.0.0-282,v5096a_c2db_275 and earlier store the Verisium Manager vAPI key in plaintext within the job config.xml file on the Jenkins controller. 6. monitor-remote-job Plugin Stores Password in Plaintext CVE: CVE-2025-31725 Severity: Medium (CVSS: Medium) Affected Plugin: monitor-remote-job Description: monitor-remote-job plugin versions 1.0 and earlier store passwords in plaintext within the job config.xml file on the Jenkins controller. 7. Stack Hammer Plugin Stores API Key in Plaintext CVE: CVE-2025-31726 Severity: Medium (CVSS: Medium) Affected Plugin: stackhammer Description: Stack Hammer plugin versions 1.0.6 and earlier store the Stack Hammer API key in plaintext within the job config.xml file on the Jenkins controller. 8. AsakusaSatellite Plugin Stores and Displays API Key in Plaintext CVE: CVE-2025-31727, CVE-2025-31728 Severity: Medium (CVSS: Medium) Affected Plugin: asakusa-satellite-plugin Description: AsakusaSatellite plugin versions 0.1.1 and earlier store the AsakusaSatellite API key in plaintext within the job config.xml file on the Jenkins controller, and the job configuration form does not mask these API keys.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Multiple Plugin Vulnerabilities: Privilege Escalation, Sandbox Bypass, and Plaintext Secrets (CVE-2025-31720 to 31728)