CVE-2025-31726
📋 TL;DR
The Jenkins Stack Hammer Plugin 1.0.6 and earlier stores API keys unencrypted in job configuration files, allowing users with Extended Read permission or filesystem access to view these sensitive credentials. This exposes authentication tokens that could be used to access external Stack Hammer services. Organizations using vulnerable Jenkins instances with this plugin are affected.
💻 Affected Systems
- Jenkins Stack Hammer Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain API keys and use them to compromise external Stack Hammer services, potentially leading to data exfiltration, service disruption, or unauthorized actions in connected systems.
Likely Case
Internal users with Extended Read permission inadvertently or intentionally access API keys, leading to unauthorized use of Stack Hammer services and potential data exposure.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who already have sufficient permissions to view job configurations.
🎯 Exploit Status
Exploitation requires either Extended Read permission on Jenkins or direct filesystem access to the Jenkins controller.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.7 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3520
Restart Required: Yes
Instructions:
1. Update Jenkins Stack Hammer Plugin to version 1.0.7 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply changes. 3. Verify plugin version in Installed Plugins list.
🔧 Temporary Workarounds
Restrict Extended Read Permissions
allLimit users with Extended Read permission to only trusted administrators who need to view job configurations.
Navigate to Jenkins > Manage Jenkins > Configure Global Security > Authorization
Remove API Keys from Existing Jobs
allManually remove or rotate Stack Hammer API keys stored in existing job configurations.
Edit each job configuration and remove Stack Hammer API key fields
🧯 If You Can't Patch
- Implement strict access controls to limit Extended Read permission to essential personnel only.
- Monitor Jenkins controller filesystem access and audit logs for unauthorized configuration file access.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Stack Hammer Plugin version. If version is 1.0.6 or earlier, the instance is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab and search for 'Stack Hammer'Verify Fix Applied:
Verify Stack Hammer Plugin version is 1.0.7 or later in Jenkins Plugin Manager.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to job configuration files
- Multiple failed authentication attempts to Stack Hammer services
Network Indicators:
- Unusual API calls to Stack Hammer services from unexpected IP addresses
SIEM Query:
source="jenkins.log" AND ("config.xml" OR "Stack Hammer") AND ("read" OR "access")