Denial of service vulnerability in HTTP-based CLI
SECURITY-3630 / CVE-2025-67635
Severity (CVSS): High
Description:
CloudBees CI 2.528.2.34846 and earlier, Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted.
This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling threads waiting indefinitely.
CloudBees CI 2.528.3.35200, Jenkins 2.541, LTS 2.528.3 properly closes HTTP-based CLI connections when the connection stream becomes corrupted.
Missing permission check on password fields
SECURITY-1809 / CVE-2025-67636
Severity (CVSS): Medium
Description:
CloudBees CI 2.528.2.34846 and earlier, Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views.
This allows attackers with View/Read permission to view encrypted password values in views.
The regular view configuration form requires View/Configure permission to access. This vulnerability requires that a plugin implements a page for a view that shows a password field without performing a View/Configure permission check, and does not set the readOnlyMode variable introduced to support JEP-224. As of the publication of this advisory, the Jenkins security team is not aware of any exploitable implementation.
CloudBees CI 2.528.3.35200, Jenkins 2.541, LTS 2.528.3 requires View/Configure permission to view encrypted password values in views.
In case of problems, administrators can disable this security fix by setting the system property hudson.Functions.nonRecursivePasswordMaskingPermissionCheck to true.
Build authorization token stored and displayed in plain text
SECURITY-783 / CVE-2025-67637 (storage), CVE-2025-67638 (masking)
Severity (CVSS): Medium
Description:
CloudBees CI 2.528.2.34846 and earlier, Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
CloudBees CI 2.528.3.35200, Jenkins 2.541, LTS 2.528.3 masks build authorization tokens displayed on the configuration form, and stores them encrypted once job configurations are saved again.
All affected job configurations can be migrated to the new (encrypted) format at once. Navigate to Manage Jenkins » Manage Old Data and choose Upgrade in the section Old Data Format.
CSRF vulnerability on the login form
SECURITY-1166 / CVE-2025-67639
Severity (CVSS): Low
Description:
CloudBees CI 2.528.2.34846 and earlier, Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery (CSRF) token (crumb) for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trick users into logging in to the attacker’s account.
CloudBees CI 2.528.3.35200, Jenkins 2.541, LTS 2.528.3 validates CSRF tokens when processing login requests.
In case of problems, administrators can disable this security fix by setting the system property hudson.security.AuthenticationProcessingFilter2.skipCSRFCheck to true.
OS command injection vulnerability on agents in Git client Plugin
SECURITY-3614 / CVE-2025-67640
Severity (CVSS): Medium
Affected plugin: git-client
Description:
Git client Plugin generates temporary script files to provide credentials (e.g., SSH_ASKPASS).
In Git client Plugin 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.
This vulnerability only has an impact when attackers can control working directories (e.g., the argument to the dir(…) Pipeline step) while not being able to control the Pipeline itself or the programs or build scripts it executes.
Git client Plugin 6.4.1 passes the workspace directory path as an environment variable to the script, preventing command injection.
Stored XSS vulnerability in Coverage Plugin
SECURITY-3611 / CVE-2025-67641
Severity (CVSS): High
Affected plugin: coverage
Description:
Coverage Plugin uses coverage results IDs to create the links to coverage results on the Jenkins UI.
Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
This vulnerability is not exploitable on Jenkins 2.539 or newer with Content Security Policy protection enforced.
Coverage Plugin 2.3056.v1dfe888b_0249 validates coverage results IDs when creating coverage results, ensuring no result is created with a javascript: scheme URL as identifier.
Additionally, the plugin will refuse to load any existing coverage results with invalid identifiers.
Exposure of system-scoped Vault credentials in HashiCorp Vault Plugin
SECURITY-3045 / CVE-2025-67642
Severity (CVSS): Medium
Affected plugin: hashicorp-vault-plugin
Description:
HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.
As of publication of this advisory, there is no fix. Learn why we announce this.
Missing permission check in BlazeMeter Plugin allows enumerating credentials IDs
SECURITY-3091 / CVE-2025-13472
Severity (CVSS): Medium
Affected plugin: BlazeMeterJenkinsPlugin
Description:
BlazeMeter Plugin 4.26 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in BlazeMeter Plugin 4.27 requires the appropriate permissions.
Path traversal vulnerability in Redpen - Pipeline Reporter for Jira Plugin
SECURITY-3290 / CVE-2025-67643
Severity (CVSS): Medium
Affected plugin: pipeline-reporter-by-redpen
Description:
Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira.
Additionally, Redpen - Pipeline Reporter for Jira Plugin does not support distributed builds, causing artifact uploads to occur from the Jenkins controller rather than from the agent executing the build.
This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory.
As of publication of this advisory, there is no fix. Learn why we announce this.