CVE-2025-67642 – The Jenkins HashiCorp Vault Plugin vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-67642?

CVE-2025-67642 has a CVSS score of 4.3 (MEDIUM). The Jenkins HashiCorp Vault Plugin vulnerability allows attackers with Item/Configure permission to access Vault credentials they shouldn't have access to, potentially capturing sensitive secrets. This affects Jenkins instances using the vulnerable HashiCorp Vault Plugin versions.

📋 TL;DR

The Jenkins HashiCorp Vault Plugin vulnerability allows attackers with Item/Configure permission to access Vault credentials they shouldn't have access to, potentially capturing sensitive secrets. This affects Jenkins instances using the vulnerable HashiCorp Vault Plugin versions.

💻 Affected Systems

Products:

Jenkins HashiCorp Vault Plugin

Versions: 371.v884a_4dd60fb_6 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Item/Configure permission in Jenkins and use of HashiCorp Vault credentials

📦 What is this software?

Hashicorp Vault by Jenkins

View all CVEs affecting Hashicorp Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate all Vault credentials accessible to Jenkins, compromising secrets management and potentially gaining access to other systems.

🟠

Likely Case

Privileged Jenkins users could access Vault credentials beyond their intended scope, leading to unauthorized access to secrets.

🟢

If Mitigated

With proper permission controls and monitoring, impact is limited to credential exposure within the Jenkins environment.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing Jenkins user permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 372.v884a_4dd60fb_7 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3045

Restart Required: Yes

Instructions:

1. Update Jenkins HashiCorp Vault Plugin to version 372.v884a_4dd60fb_7 or later
2. Restart Jenkins instance
3. Verify plugin version in Jenkins plugin manager

🔧 Temporary Workarounds

Restrict Item/Configure Permissions

all

Tighten Jenkins permission controls to limit users with Item/Configure access

Audit Vault Credential Usage

all

Review and monitor access to Vault credentials in Jenkins

🧯 If You Can't Patch

Restrict Jenkins user permissions to minimum required
Implement additional monitoring for Vault credential access patterns

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for HashiCorp Vault Plugin version 371.v884a_4dd60fb_6 or earlier

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins

Verify Fix Applied:

Confirm plugin version is 372.v884a_4dd60fb_7 or later in Jenkins plugin manager

📡 Detection & Monitoring

Log Indicators:

Unusual Vault credential access patterns
Multiple failed credential lookups from same user

Network Indicators:

Increased Vault API calls from Jenkins instance

SIEM Query:

source="jenkins.log" AND ("Vault" OR "credential") AND ("access" OR "lookup")

📊 Metadata

CVE ID: CVE-2025-67642

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-282

EPSS Score: 0.13% exploit probability (32.1th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3045 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67642, you might also want to check these: