CVE-2025-64144
📋 TL;DR
The Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens in plaintext within job configuration files, allowing users with Item/Extended Read permissions or filesystem access to view these sensitive credentials. This affects all Jenkins instances using this plugin version.
💻 Affected Systems
- Jenkins ByteGuard Build Actions Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with appropriate permissions could steal API tokens and use them to perform unauthorized actions in external systems integrated with Jenkins, potentially leading to data breaches or system compromise.
Likely Case
Internal users with extended read permissions could inadvertently or intentionally access API tokens, leading to unauthorized API calls to integrated services.
If Mitigated
With strict access controls limiting Item/Extended Read permissions and filesystem access, the exposure is contained to authorized administrators only.
🎯 Exploit Status
Exploitation requires Item/Extended Read permission or direct filesystem access to the Jenkins controller. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.1 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560
Restart Required: No
Instructions:
1. Navigate to Jenkins Plugin Manager. 2. Update ByteGuard Build Actions Plugin to version 1.1 or later. 3. No Jenkins restart required. 4. Existing API tokens in config.xml files remain exposed until jobs are reconfigured.
🔧 Temporary Workarounds
Restrict Item/Extended Read Permissions
allLimit users with Item/Extended Read permission to only trusted administrators to reduce exposure.
Configure via Jenkins Manage Jenkins > Configure Global Security > Authorization
Secure Jenkins Controller Filesystem
allRestrict filesystem access to Jenkins controller to prevent unauthorized viewing of config.xml files.
Use OS-level file permissions to restrict access to JENKINS_HOME directory
🧯 If You Can't Patch
- Remove Item/Extended Read permission from all non-administrative users
- Audit and rotate all API tokens stored in Jenkins jobs that use ByteGuard plugin
🔍 How to Verify
Check if Vulnerable:
Check installed plugin version via Manage Jenkins > Plugin Manager > Installed tab. Look for ByteGuard Build Actions Plugin version 1.0.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"byteguard-build-actions-plugin","version":"[^"]*"'Verify Fix Applied:
Verify plugin version is 1.1 or later in Plugin Manager. Check that API tokens in job config.xml files are no longer stored in plaintext.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls from Jenkins IP using potentially stolen tokens
- Multiple failed authentication attempts to external services from Jenkins
Network Indicators:
- Unusual outbound API traffic from Jenkins to integrated services at unexpected times
SIEM Query:
source_ip="jenkins_server" AND (event_type="api_call" OR event_type="authentication_failure") AND destination_service="external_integrated_service"