CVE-2025-30196
📋 TL;DR
Jenkins AnchorChain Plugin 1.0 has a stored cross-site scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript in victims' browsers. This affects Jenkins administrators and users who can control workspace content for the Anchor Chain post-build step. Attackers can steal session cookies, perform actions as authenticated users, or redirect to malicious sites.
💻 Affected Systems
- Jenkins AnchorChain Plugin
📦 What is this software?
Anchorchain by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to Jenkins, compromise build pipelines, steal credentials, and pivot to internal systems.
Likely Case
Session hijacking, unauthorized actions within Jenkins, data exfiltration from user browsers.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, with minimal privilege escalation.
🎯 Exploit Status
Exploitation requires ability to control workspace content; authenticated users with write access to relevant files can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3529
Restart Required: Yes
Instructions:
1. Update Jenkins AnchorChain Plugin to version 1.1 via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins.
🔧 Temporary Workarounds
Disable AnchorChain Plugin
allTemporarily disable the vulnerable plugin until patching is possible.
Navigate to Manage Jenkins > Manage Plugins > Installed, find AnchorChain Plugin, click Disable
Restrict File Uploads
allLimit who can upload or modify files in Jenkins workspaces to reduce attack surface.
Configure Jenkins permissions to restrict workspace write access to trusted users only
🧯 If You Can't Patch
- Implement strict input validation for Anchor Chain post-build step to reject javascript: URLs.
- Apply Content Security Policy (CSP) headers to Jenkins to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin version: Navigate to Manage Jenkins > Manage Plugins > Installed, look for AnchorChain Plugin version 1.0.Check Version:
On Jenkins server, check plugin directory: ls $JENKINS_HOME/plugins/anchorchain.jpiVerify Fix Applied:
Confirm AnchorChain Plugin is updated to version 1.1 in Manage Jenkins > Manage Plugins > Installed.📡 Detection & Monitoring
Log Indicators:
- Log entries showing javascript: URLs in Anchor Chain processing
- Unusual file modifications in Jenkins workspaces
Network Indicators:
- HTTP requests containing javascript: scheme in URLs from Jenkins instances
SIEM Query:
source="jenkins.log" AND "javascript:" AND "anchorchain"