Jenkins and Plugins Security Advisory: RCE, Info Disclosure, CSRF (CVE-2025-31720-31724)

Critical Vulnerability Information Vulnerability Overview Announcement Date: 2025-04-02 Affected Jenkins Versions: - Jenkins (core) - AsakusaSatellite Plugin - Cadence vManager Plugin - monitor-remote-job Plugin - Simple Queue Plugin - Stack Hammer Plugin - Templating Engine Plugin Vulnerability Details 1. Missing permission check allows retrieving agent configurations - CVE ID: SECURITY-3512 / CVE-2025-31720 - Severity: Medium - Description: Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to clone agents and access their configurations. 2. Missing permission check allows retrieving secrets from agent configurations - CVE ID: SECURITY-3513 / CVE-2025-31721 - Severity: Medium - Description: Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, do not perform permission checks on HTTP endpoints. This allows attackers with Agent/Create permission but without Agent/Configure permission to clone agents containing secrets. 3. Script Security sandbox bypass vulnerability through folder-scoped libraries in Templating Engine Plugin - CVE ID: SECURITY-3505 / CVE-2025-31722 - Severity: High - Affected Plugin: templating-engine - Description: The Templating Engine Plugin allows libraries to be defined in global configuration and in folders used by pipelines. While libraries defined in global configuration can only be set by administrators and are thus trusted, libraries defined in folders can be configured by users with Item/Configure permission. This vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the host console. 4. CSRF vulnerability in Simple Queue Plugin - CVE ID: SECURITY-3469 / CVE-2025-31723 - Severity: Medium - Affected Plugin: simple-queue - Description: Simple Queue Plugin 1.4.6 and earlier do not require POST requests for multiple HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. 5. API keys stored in plain text by Cadence vManager Plugin - CVE ID: SECURITY-3537 / CVE-2025-31724 - Severity: Medium - Affected Plugin: vmanager-plugin - Description: Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier store Verisium Manager vAPI keys in plain text within job config.xml files. 6. Passwords stored in plain text by monitor-remote-job Plugin - CVE ID: SECURITY-3539 / CVE-2025-31725 - Severity: Medium - Affected Plugin: monitor-remote-job - Description: monitor-remote-job Plugin 1.0 and earlier store passwords in plain text within job config.xml files. 7. API keys stored in plain text by Stack Hammer Plugin - CVE ID: SECURITY-3520 / CVE-2025-31726 - Severity: Medium - Affected Plugin: stackhammer - Description: Stack Hammer Plugin 1.0.0 and earlier store Stack Hammer API keys in plain text within job config.xml files. 8. API keys stored and displayed in plain text by AsakusaSatellite Plugin - CVE ID: SECURITY-3523 / CVE-2025-31727 (storage), CVE-2025-31728 (masking) - Severity: Medium - Affected Plugin: asakusa-satellite-plugin - Description: AsakusaSatellite Plugin 0.1.1 and earlier store AsakusaSatellite API keys in plain text within job config.xml files, and the job configuration form does not mask these API keys. Affected Versions Jenkins weekly up to and including 2.503 Jenkins LTS up to and including 2.492.2 AsakusaSatellite Plugin up to and including 0.1.1 Cadence vManager Plugin up to and including 4.0.0-282.v5096a_c2db_275 monitor-remote-job Plugin up to and including 1.0 Simple Queue Plugin up to and including 1.4.6 Stack Hammer Plugin up to and including 1.0.0 Templating Engine Plugin up to and including 2.5.3 Remediation Recommendations Jenkins weekly should be updated to version 2.504 Jenkins LTS should be updated to version 2.492.3 Cadence vManager Plugin should be updated to version 4.0.1-286.v9e25a_740b_a_48 Simple Queue Plugin should be updated to version 1.4.7 Templating Engine Plugin should be updated to version 2.5.4

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins and Plugins Security Advisory: RCE, Info Disclosure, CSRF (CVE-2025-31720-31724)