CVE-2025-67637
📋 TL;DR
Jenkins versions 2.540 and earlier (including LTS 2.528.2 and earlier) store build authorization tokens unencrypted in job configuration files. This allows users with Item/Extended Read permission or filesystem access to view these tokens, potentially enabling unauthorized build triggering or job manipulation.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers with appropriate permissions could steal build tokens to trigger unauthorized builds, modify job configurations, or escalate privileges within the Jenkins environment.
Likely Case
Internal users with Item/Extended Read permission could view and misuse build tokens to trigger builds they shouldn't have access to, potentially exposing sensitive build artifacts or credentials.
If Mitigated
With strict permission controls and filesystem access restrictions, the impact is limited to authorized users who already have significant Jenkins access.
🎯 Exploit Status
Exploitation requires existing Jenkins permissions or filesystem access; no authentication bypass needed for authorized users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.541, Jenkins LTS 2.528.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783
Restart Required: Yes
Instructions:
1. Backup Jenkins configuration and data. 2. Upgrade Jenkins to version 2.541 or later (or LTS 2.528.3 or later). 3. Restart Jenkins service. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Restrict Item/Extended Read Permissions
allLimit users with Item/Extended Read permission to only trusted administrators to reduce exposure.
Navigate to Jenkins > Manage Jenkins > Configure Global Security > Authorization
Secure Jenkins Controller Filesystem
linuxRestrict filesystem access to Jenkins controller directories containing config.xml files.
chmod 600 /var/lib/jenkins/jobs/*/config.xml
chown jenkins:jenkins /var/lib/jenkins/jobs/*/config.xml
🧯 If You Can't Patch
- Review and restrict Item/Extended Read permissions to minimal necessary users
- Implement strict filesystem access controls on Jenkins controller directories
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or run: java -jar jenkins.war --versionCheck Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify Jenkins version is 2.541 or later (or LTS 2.528.3 or later) and check that config.xml files no longer contain plaintext build tokens📡 Detection & Monitoring
Log Indicators:
- Unauthorized build triggers from unexpected users
- Multiple failed build attempts with stolen tokens
Network Indicators:
- Unusual build trigger patterns or timing
SIEM Query:
source="jenkins" AND (event="BUILD_TRIGGERED" AND user NOT IN [authorized_users])