Jenkins Security Advisory: RCE, Info Leak, CSRF in Core & Plugins (CVE-2025-31720 to 31728)

Critical Vulnerability Information Vulnerability Overview Announcement Date: 2025-04-02 Affected Jenkins Versions: - Jenkins (core) - AsakusaSatellite Plugin - Cadence vManager Plugin - monitor-remote-job Plugin - Simple Queue Plugin - Stack Hammer Plugin - Templating Engine Plugin Vulnerability Details Missing Permission Checks Allow Retrieval of Agent Configuration CVE ID: CVE-2025-31720, CVE-2025-31721 Severity: Medium Description: Jenkins 2.503 and earlier versions, LTS 2.492.2 and earlier, do not enforce permission checks on HTTP endpoints. This allows attackers with Agent/Create permissions but without Agent/Extended Read permissions to copy agents and access their configurations. Script Security Sandbox Bypass via Folder-Scope Libraries CVE ID: CVE-2025-31722 Severity: High Affected Plugin: templating-engine Description: The Templating Engine Plugin allows libraries to be defined in global configuration and within folders. While libraries defined in global configuration can only be set by administrators and are thus trusted, libraries defined within folders can be configured by users with Item/Configure permissions. In Templating Engine Plugin versions 2.5.3 and earlier, libraries defined in folders are not sandboxed. This vulnerability allows attackers with Item/Configure permissions to execute arbitrary code in context. CSRF Vulnerability in Simple Queue Plugin CVE ID: CVE-2025-31723 Severity: Medium Affected Plugin: simple-queue Description: Simple Queue Plugin versions 1.4.6 and earlier do not require POST requests for multiple HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. These vulnerabilities allow attackers to modify and reset build queue order. API Keys Stored in Plaintext CVE ID: CVE-2025-31724, CVE-2025-31725, CVE-2025-31726, CVE-2025-31727, CVE-2025-31728 Severity: Medium Affected Plugins: vmanager-plugin, monitor-remote-job, stackhammer, asakusa-satellite-plugin Description: These plugins store API keys or passwords in plaintext within the job config.xml file, allowing users with Item/Extended Read permissions to view these keys or passwords. Affected Versions Jenkins weekly up to and including 2.503 Jenkins LTS up to and including 2.492.2 AsakusaSatellite Plugin up to and including 0.1.1 Cadence vManager Plugin up to and including 4.0.0-282.v5096a_c2db_275 monitor-remote-job Plugin up to and including 1.0 Simple Queue Plugin up to and including 1.4.6 Stack Hammer Plugin up to and including 1.0.0 Templating Engine Plugin up to and including 2.5.3 Remediation Recommendations Upgrade to the following versions: - Jenkins weekly: 2.504 - Jenkins LTS: 2.492.3 - Cadence vManager Plugin: 4.0.1-286.v9e25a_740b_a_48 - Simple Queue Plugin: 1.4.7 - Templating Engine Plugin: 2.5.4

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: RCE, Info Leak, CSRF in Core & Plugins (CVE-2025-31720 to 31728)