CVE-2023-25721 – The Veracode Scan Jenkins Plugin before version... (How to Fix)

Q: What is the severity of CVE-2023-25721?

CVE-2023-25721 has a CVSS score of 6.5 (MEDIUM). The Veracode Scan Jenkins Plugin before version 23.3.19.0 exposes proxy credentials in job logs when specific configurations are enabled. Users with access to view job logs can discover these credentials, potentially compromising proxy authentication. This affects Jenkins administrators who have enabled proxy debugging and remote agent job scanning.

📋 TL;DR

The Veracode Scan Jenkins Plugin before version 23.3.19.0 exposes proxy credentials in job logs when specific configurations are enabled. Users with access to view job logs can discover these credentials, potentially compromising proxy authentication. This affects Jenkins administrators who have enabled proxy debugging and remote agent job scanning.

💻 Affected Systems

Products:

Veracode Scan Jenkins Plugin

Versions: All versions before 23.3.19.0

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ✅ No

Notes: Requires three specific configurations: 'Connect using proxy' enabled with credentials, Jenkins global debug enabled, and remote agent job scanning configured.

📦 What is this software?

Veracode by Veracode

View all CVEs affecting Veracode →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain proxy credentials, pivot through internal networks, intercept sensitive traffic, or launch attacks from the proxy's position.

🟠

Likely Case

Internal users with job log access discover proxy credentials, potentially using them for unauthorized network access or credential reuse attacks.

🟢

If Mitigated

Limited exposure with proper access controls and monitoring, but credentials still exposed in logs.

🌐 Internet-Facing: LOW - Requires authenticated access to Jenkins job logs.

🏢 Internal Only: MEDIUM - Internal users with job log access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to view job logs and specific plugin configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.3.19.0

Vendor Advisory: https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190

Restart Required: Yes

Instructions:

1. Update Veracode Scan Jenkins Plugin to version 23.3.19.0 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Jenkins system information.

🔧 Temporary Workarounds

Disable Jenkins Global Debug

all

Turn off Jenkins global system debug setting to prevent credential logging.

Navigate to Jenkins > Manage Jenkins > System Log > Log Levels, ensure debug is disabled for relevant components.

Restrict Job Log Access

all

Limit which users can view job logs containing sensitive information.

Configure Jenkins security matrix to restrict 'View Job Log' permissions to trusted users only.

🧯 If You Can't Patch

Disable the 'Connect using proxy' option or remove proxy credentials from plugin configuration.
Implement strict access controls on Jenkins job logs and monitor for unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Veracode Scan Plugin version. If version is below 23.3.19.0 and the three vulnerable configurations are enabled, the system is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed tab, search for 'Veracode Scan'.

Verify Fix Applied:

Confirm plugin version is 23.3.19.0 or higher in Jenkins plugin manager and verify proxy credentials are no longer visible in job logs.

📡 Detection & Monitoring

Log Indicators:

Proxy credentials (usernames/passwords) appearing in Jenkins job logs
Debug-level logging containing authentication strings

Network Indicators:

Unauthorized proxy authentication attempts from internal Jenkins users

SIEM Query:

source="jenkins.log" AND ("proxy" AND "password" OR "credentials" AND "debug")

📊 Metadata

CVE ID: CVE-2023-25721

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: March 28, 2023

Last Updated: February 19, 2025

🔗 References

https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190 Release Notes
https://veracode.com Vendor Advisory
https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190 Release Notes
https://veracode.com Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25721, you might also want to check these: