CVE-2025-31721
📋 TL;DR
This vulnerability allows attackers with Computer/Create permission in Jenkins to copy agent configurations and access encrypted secrets they shouldn't have permission to view. It affects Jenkins 2.503 and earlier, including LTS 2.492.2 and earlier. Attackers need some existing Jenkins permissions but can escalate to access sensitive credentials.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to encrypted secrets stored in agent configurations, potentially compromising credentials, API keys, or other sensitive data used by Jenkins agents.
Likely Case
Privileged Jenkins users with Computer/Create permission but without Computer/Configure permission can access secrets they shouldn't be able to view, leading to credential exposure.
If Mitigated
With proper permission segregation and least privilege, only users with both Computer/Create and Computer/Configure permissions could exploit this, limiting exposure.
🎯 Exploit Status
Exploitation requires authenticated access with Computer/Create permission. The vulnerability is straightforward to exploit once an attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.504, Jenkins LTS 2.492.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3513
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance and configuration. 2. Upgrade to Jenkins 2.504 or Jenkins LTS 2.492.3. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Permission Restriction
allRemove Computer/Create permission from users who don't also have Computer/Configure permission to prevent exploitation.
Manage Jenkins > Configure Global Security > Matrix-based security or Role-based strategy
🧯 If You Can't Patch
- Review and restrict user permissions to ensure no users have Computer/Create without Computer/Configure permission
- Audit agent configurations and rotate any exposed secrets or credentials
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'Check Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify Jenkins version is 2.504 or higher, or LTS 2.492.3 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual agent copy operations by users without Computer/Configure permission
- Access to agent configuration files by unauthorized users
Network Indicators:
- Unusual API calls to copy agent configurations
SIEM Query:
source="jenkins" AND (event="agent_copy" OR event="configuration_access") AND user_permissions!="Computer/Configure"