Multiple path traversal vulnerabilities in CloudBees Update Center Plugin
BEE-49009
Severity (CVSS): High
Description: CloudBees Update Center Plugin 952 and earlier is affected by two path traversal vulnerabilities:
When processing an upstream update center's JSON metadata, the URL to artifacts can use the file: scheme and reference a file on the controller on which the downstream update center is hosted. If that file exists and is a valid Java .jar (or compatible) .zip file, the update center will then copy the file when storing it, and make it available for download.
When storing a Jenkins .war or plugin .hpi file, values from the Java manifest metadata file inside the archive are used to determine the actual name and version of the plugin and their resulting file path on the controller file system. These values are processed without validation, allowing attackers able to have a crafted Jenkins .war or plugin .hpi file stored anywhere on the controller file system, including the plugins/ directory inside the Jenkins home directory, leading to arbitrary code execution after restart.
CloudBees Update Center Plugin 984 resolves both issues:
Support for file: URLs is dropped. This existed to support copying local file when upstream sources are other local update centers. Instead, a custom local: URI scheme is defined for this use case and values are validated to ensure only promoted artifacts of local update center items are referenced.
Values read from the Java manifest metadata file when storing a Jenkins .war or plugin .hpi file are validated to ensure they contain only characters from a restricted set with no potential for path traversal.
ReDoS vulnerability in managed-master-hibernation-monitor
BEE-55416
Severity (CVSS): Medium
Description: The managed-master-hibernation-monitor component (Docker image tag 441.2e998755476c and earlier) included in CloudBees CI 2.492.2.3 and earlier doesn't properly validate user-supplied regular expressions provided to the managed controller endpoint “/status/quiescent”. This allows attackers to supply crafted regex patterns that cause excessive backtracking, leading to a regular expression denial of service (ReDoS) vulnerability exploitable by attackers with Managed Controller administrator permission.
The managed-master-hibernation-monitor component (Docker image tag 460.f7f57a00f3f1) included in CloudBees CI 2.492.3.5 fixes this issue by introducing a time-limited regex execution mechanism. This ensures that regular expressions exceeding a fixed timeout are forcibly terminated, preventing excessive resource consumption and potential denial-of-service conditions.
SSRF vulnerability in CloudBees Backup Plugin
BEE-48924
Severity (CVSS): Medium
Description: CloudBees Backup Plugin 1089 and earlier does not validate the URIs returned from WebDAV for the files to be deleted if a Backup retention policy is configured. This allows crafted responses from the WebDAV service on which backups are stored to have CloudBees CI send HTTP DELETE requests to an attacker-chosen URI.
CloudBees Backup Plugin 1095 skips URIs returned from WebDAV that have a different hostname or port than the WebDAV URI
Missing permission check allows retrieving agent configurations
SECURITY-3512 / CVE-2025-31720
Severity (CVSS): Medium
Description:
Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, CloudBees CI 2.492.2.3 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent, gaining access to its configuration.
Jenkins 2.504, LTS 2.492.3, CloudBees CI 2.492.3.5 requires Agent/Extended Read permission to copy an agent.
Missing permission check allows retrieving secrets from agent configurations
SECURITY-3513 / CVE-2025-31721
Severity (CVSS): Medium
Description:
Jenkins 2.503 and earlier, LTS 2.492.2 and earlier, CloudBees CI 2.492.2.3 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Agent/Create permission but without Agent/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.
This is due to an incomplete fix of SECURITY-3495.
Jenkins 2.504, LTS 2.492.3, CloudBees CI 2.492.3.5 requires Agent/Configure permission to copy an agent containing secrets.
Script Security sandbox bypass vulnerability through folder-scoped libraries in Templating Engine Plugin
SECURITY-3505 / CVE-2025-31722
Severity (CVSS): High
Affected plugin: templating-engine
Description:
Templating Engine Plugin allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be configured by users with Item/Configure permission.
In Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection. This vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
In Templating Engine Plugin 2.5.4, libraries defined in folders are subject to sandbox protection.
CSRF vulnerability in Simple Queue Plugin
SECURITY-3469 / CVE-2025-31723
Severity (CVSS): Medium
Affected plugin: simple-queue
Description:
Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to change and reset the build queue order.
Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints.
Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.
API keys stored in plain text by Cadence vManager Plugin
SECURITY-3537 / CVE-2025-31724
Severity (CVSS): Medium
Affected plugin: vmanager-plugin
Description:
Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.
Passwords stored in plain text by monitor-remote-job Plugin
SECURITY-3539 / CVE-2025-31725
Severity (CVSS): Medium
Affected plugin: monitor-remote-job
Description:
monitor-remote-job Plugin 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce this.
API keys stored in plain text by Stack Hammer Plugin
SECURITY-3520 / CVE-2025-31726
Severity (CVSS): Medium
Affected plugin: stackhammer
Description:
Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce this.
API keys stored and displayed in plain text by AsakusaSatellite Plugin
SECURITY-3523 / CVE-2025-31727 (storage), CVE-2025-31728 (masking)
Severity (CVSS): Medium
Affected plugin: asakusa-satellite-plugin
Description:
AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix. Learn why we announce this.