CloudBees Security Advisory 2025-10-29

SECURITY-3613 / CVE-2025-64131
Severity (CVSS): High
Affected plugin: saml
Description:

SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache.

This allows attackers able to obtain information about the SAML authentication flow between a user’s web browser and Jenkins to replay those requests, authenticating to Jenkins as that user.

SAML Plugin 4.583.585.v22ccc1139f55 implements a replay cache that rejects replayed requests.

SECURITY-3622 / CVE-2025-64132
Severity (CVSS): Medium
Affected plugin: mcp-server
Description:

MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools.

This allows to do the following:

• Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission (getJobScm).

• Attackers with Item/Read permission can trigger new builds of a job despite lacking Item/Build permission (triggerBuild).

• Attackers without Overall/Read permission can retrieve the names of configured clouds (getStatus).

MCP Server Plugin 0.86.v7d3355e6a_a_18 performs permission checks for the affected MCP tools.

SECURITY-3583 / CVE-2025-64133
Severity (CVSS): Medium
Affected plugin: extensible-choice-parameter
Description:

Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute sandboxed Groovy code.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-2936 / CVE-2025-64134
Severity (CVSS): High
Affected plugin: jdepend
Description:

JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3326 / CVE-2025-64135
Severity (CVSS): Medium
Affected plugin: eggplant-runner
Description:

Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration.

This disables a protection mechanism of the Java runtime addressing CVE-2016-5597.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3517 / CVE-2025-64136 (CSRF), CVE-2025-64137 (permission check)
Severity (CVSS): Medium
Affected plugin: themis
Description:

Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3531 / CVE-2025-64138 (CSRF), CVE-2025-64139 (permission check)
Severity (CVSS): Medium
Affected plugin: windocks-start-container
Description:

Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3538 / CVE-2025-64140
Severity (CVSS): High
Affected plugin: azure-cli
Description:

Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller.

This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3550 / CVE-2025-64141 (CSRF), CVE-2025-64142 (permission check)
Severity (CVSS): Medium
Affected plugin: nexus-task-runner
Description:

Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3553 / CVE-2025-64143
Severity (CVSS): Medium
Affected plugin: openshift-pipeline
Description:

OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These token can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3560 / CVE-2025-64144 (storage), CVE-2025-64145 (masking)
Severity (CVSS): Medium
Affected plugin: byteguard-build-actions
Description:

ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3562 / CVE-2025-64146 (storage), CVE-2025-64147 (masking)
Severity (CVSS): Medium
Affected plugin: curseforge-publisher
Description:

Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3570 / CVE-2025-64148
Severity (CVSS): Medium
Affected plugin: publish-to-bitbucket
Description:

Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3576 / CVE-2025-64149 (CSRF), CVE-2025-64150 (permission check)
Severity (CVSS): Medium
Affected plugin: publish-to-bitbucket
Description:

Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

• SECURITY-2936: High

• SECURITY-3326: Medium

• SECURITY-3517: Medium

• SECURITY-3531: Medium

• SECURITY-3538: High

• SECURITY-3550: Medium

• SECURITY-3553: Medium

• SECURITY-3560: Medium

• SECURITY-3562: Medium

• SECURITY-3570: Medium

• SECURITY-3576: Medium

• SECURITY-3583: Medium

• SECURITY-3613: High

• SECURITY-3622: Medium

• MCP Server Plugin should be updated to version 0.86.v7d3355e6a_a_18

• SAML Plugin should be updated to version 4.583.585.v22ccc1139f55

• CloudBees Traditional Platforms should be upgraded to 2.528.1.29795

• CloudBees Cloud Platforms should be upgraded to 2.528.1.29795

• Aris ISSAD, Aix Marseille University for SECURITY-3550

• CC Bomber, Kitri BoB for SECURITY-2936

• Daniel Beck, CloudBees, Inc. for SECURITY-3576

• Denys Digtiar, CloudBees, Inc. for SECURITY-3613

• Hamadache Mohamed, Aix Marseille University for SECURITY-3560, SECURITY-3562

• Kevin Guerroudj, CloudBees, Inc. for SECURITY-3622

• Lotfi Yahi, Aix Marseille University for SECURITY-3531, SECURITY-3570, SECURITY-3583

• Pierre Beitz, CloudBees, Inc. for SECURITY-3326

• Romuald Moisan, Aix Marseille University for SECURITY-3553

• Romuald Moisan, Aix Marseille University, and Vincent Lardet, Aix Marseille University for SECURITY-3517

• Said Abdesslem Messadi, Aix Marseille University for SECURITY-3538