CVE-2025-64137
📋 TL;DR
The Jenkins Themis Plugin 1.4.1 and earlier contains a missing permission check vulnerability that allows authenticated attackers with Overall/Read permission to force Jenkins to connect to attacker-controlled HTTP servers. This could enable server-side request forgery (SSRF) attacks or data exfiltration. Organizations using vulnerable versions of the Jenkins Themis Plugin are affected.
💻 Affected Systems
- Jenkins Themis Plugin
📦 What is this software?
Themis by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use Jenkins as a proxy to scan internal networks, access internal HTTP services, or exfiltrate sensitive data from internal systems reachable by the Jenkins server.
Likely Case
Attackers with read access could probe internal network services, potentially discovering additional attack surfaces or sensitive information from internal HTTP endpoints.
If Mitigated
With proper network segmentation and strict permission controls, impact is limited to potential information disclosure about internal HTTP services accessible to the Jenkins server.
🎯 Exploit Status
Exploitation requires authenticated access with Overall/Read permission. Attackers need to understand Jenkins plugin functionality to craft malicious requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins Themis Plugin 1.4.2 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3517
Restart Required: No
Instructions:
1. Access Jenkins web interface as administrator. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab and search for 'Themis Plugin'. 4. Install version 1.4.2 or later. 5. No restart required for plugin updates in Jenkins.
🔧 Temporary Workarounds
Remove Overall/Read permission from untrusted users
allRestrict Overall/Read permission to only trusted administrators to prevent exploitation
Navigate to Manage Jenkins > Configure Global Security > Authorization
Uninstall Themis Plugin if not needed
allRemove the vulnerable plugin entirely if its functionality is not required
Navigate to Manage Jenkins > Manage Plugins > Installed tab > Select Themis Plugin > Uninstall
🧯 If You Can't Patch
- Implement strict network segmentation to limit Jenkins server's ability to reach internal HTTP services
- Apply principle of least privilege by removing Overall/Read permission from all non-administrative users
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Themis Plugin version. If version is 1.4.1 or earlier, the system is vulnerable.Check Version:
Navigate to Manage Jenkins > Manage Plugins > Installed tab and check Themis Plugin versionVerify Fix Applied:
Verify Themis Plugin version is 1.4.2 or later in Jenkins plugin manager.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP outbound connections from Jenkins server to unfamiliar domains or IPs
- Multiple failed authentication attempts followed by plugin-related requests
Network Indicators:
- Jenkins server making HTTP requests to unexpected external or internal destinations
- Unusual traffic patterns from Jenkins server to non-standard ports
SIEM Query:
source="jenkins.log" AND ("Themis" OR "plugin") AND ("HTTP" OR "connection" OR "request") AND NOT (destination_ip IN [allowed_ips])