CVE-2025-64143 – The Jenkins OpenShift Pipeline Plugin 1.0.57 an... (How to Fix)

Q: What is the severity of CVE-2025-64143?

CVE-2025-64143 has a CVSS score of 4.3 (MEDIUM). The Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job configuration files, allowing users with Item/Extended Read permission or filesystem access to view sensitive credentials. This affects Jenkins instances using the vulnerable plugin version.

📋 TL;DR

The Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job configuration files, allowing users with Item/Extended Read permission or filesystem access to view sensitive credentials. This affects Jenkins instances using the vulnerable plugin version.

💻 Affected Systems

Products:

Jenkins OpenShift Pipeline Plugin

Versions: 1.0.57 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances using the OpenShift Pipeline Plugin. The vulnerability exists in default configurations where the plugin is installed.

📦 What is this software?

Openshift Pipeline by Jenkins

View all CVEs affecting Openshift Pipeline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with appropriate permissions could steal OpenShift authorization tokens, potentially gaining unauthorized access to Kubernetes/OpenShift clusters and performing malicious operations.

🟠

Likely Case

Internal users with Item/Extended Read permission could inadvertently or intentionally view and misuse sensitive OpenShift credentials stored in job configurations.

🟢

If Mitigated

With strict access controls and proper permission management, only trusted administrators could access the sensitive data, limiting exposure.

🌐 Internet-Facing: LOW - This requires authenticated access to Jenkins or direct filesystem access, making internet-facing exploitation unlikely without other vulnerabilities.

🏢 Internal Only: MEDIUM - Internal users with Item/Extended Read permission or filesystem access could exploit this, posing moderate risk in environments with broad permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires Item/Extended Read permission on Jenkins jobs or direct access to the Jenkins controller filesystem. No authentication bypass is involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.58 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3553

Restart Required: No

Instructions:

1. Update Jenkins OpenShift Pipeline Plugin to version 1.0.58 or later via Jenkins Plugin Manager. 2. No Jenkins restart required. 3. Existing job configurations will be automatically secured upon next configuration save.

🔧 Temporary Workarounds

Restrict Item/Extended Read Permissions

all

Limit users with Item/Extended Read permission to only trusted administrators to prevent unauthorized viewing of job configuration files.

Configure via Jenkins Manage Jenkins > Configure Global Security > Authorization

Secure Jenkins Controller Filesystem

all

Restrict filesystem access to Jenkins controller to prevent unauthorized users from reading config.xml files directly.

Use OS-level file permissions: chmod 600 config.xml files, restrict directory access

🧯 If You Can't Patch

Review and audit all users with Item/Extended Read permission, removing unnecessary access.
Implement strict filesystem access controls on Jenkins controller to prevent unauthorized config.xml file access.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for OpenShift Pipeline Plugin version. If version is 1.0.57 or earlier, the instance is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins, find OpenShift Pipeline Plugin

Verify Fix Applied:

Verify plugin version is 1.0.58 or later in Jenkins Plugin Manager. Check that authorization tokens in job config.xml files are no longer stored in plain text.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to job configuration files, multiple failed permission checks for Item/Extended Read

Network Indicators:

Unusual API calls to OpenShift/Kubernetes clusters from Jenkins nodes

SIEM Query:

source="jenkins" AND (event="ACCESS_DENIED" OR event="PERMISSION_CHECK_FAILED") AND user_privilege="Item/ExtendedRead"

📊 Metadata

CVE ID: CVE-2025-64143

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-311

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: October 29, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64143, you might also want to check these: