CVE-2025-64145
📋 TL;DR
The Jenkins ByteGuard Build Actions Plugin 1.0 fails to mask API tokens in the job configuration form, potentially exposing sensitive credentials to unauthorized viewers. This affects Jenkins administrators and users who configure jobs using this plugin, allowing attackers who gain access to configuration pages to capture these tokens.
💻 Affected Systems
- Jenkins ByteGuard Build Actions Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture API tokens and gain unauthorized access to Jenkins or integrated systems, potentially leading to data theft, code manipulation, or lateral movement within the environment.
Likely Case
Authorized users with configuration access inadvertently expose tokens to shoulder surfers or screen sharing, leading to credential misuse within the Jenkins environment.
If Mitigated
With proper access controls and monitoring, exposure is limited to authorized personnel only, reducing the risk of malicious exploitation.
🎯 Exploit Status
Exploitation requires access to Jenkins job configuration pages, typically requiring at least Job/Configure permissions. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.1 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560
Restart Required: No
Instructions:
1. Update Jenkins ByteGuard Build Actions Plugin to version 1.1 or later via Jenkins Plugin Manager. 2. No Jenkins restart required. 3. Verify tokens are now masked in job configuration forms.
🔧 Temporary Workarounds
Restrict configuration access
allLimit Job/Configure permissions to trusted administrators only to reduce exposure surface.
Configure Jenkins security matrix to restrict 'Job/Configure' permissions
Use credential binding
allStore API tokens in Jenkins Credentials Store and reference them via credential binding instead of direct entry in job configuration.
Add tokens to Jenkins Credentials Store, reference with ${TOKEN_NAME} in job config
🧯 If You Can't Patch
- Implement strict access controls to limit who can view job configuration pages
- Regularly rotate API tokens used in ByteGuard plugin configurations
🔍 How to Verify
Check if Vulnerable:
Check if ByteGuard Build Actions Plugin version 1.0 is installed via Jenkins Plugin Manager or by examining the plugins directory.Check Version:
Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins, search for 'ByteGuard Build Actions Plugin'Verify Fix Applied:
After updating to version 1.1+, verify that API token fields in job configuration forms display masked characters (asterisks or dots) instead of plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual API token usage patterns from unexpected IP addresses or user accounts
Network Indicators:
- Unexpected API calls using ByteGuard-related tokens to external systems
SIEM Query:
source="jenkins.log" AND ("ByteGuard" OR "API token") AND ("unauthorized" OR "failed authentication")