CVE-2025-67643
📋 TL;DR
The Jenkins Redpen - Pipeline Reporter for Jira Plugin vulnerability allows attackers with Item/Configure permission to bypass path validation and retrieve arbitrary files from the Jenkins controller workspace directory. This affects Jenkins instances using the vulnerable plugin version. Attackers can access sensitive files that should be restricted.
💻 Affected Systems
- Jenkins Redpen - Pipeline Reporter for Jira Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could retrieve sensitive configuration files, credentials, or source code from the Jenkins controller, potentially leading to further system compromise or data exfiltration.
Likely Case
Attackers with Item/Configure permission can access files in the workspace directory, potentially exposing build artifacts, temporary files, or other sensitive data stored there.
If Mitigated
With proper access controls and network segmentation, impact is limited to files within the workspace directory accessible to users with Item/Configure permission.
🎯 Exploit Status
Exploitation requires Item/Configure permission. The vulnerability is a path traversal issue in artifact upload functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.055 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3290
Restart Required: Yes
Instructions:
1. Update Jenkins Redpen - Pipeline Reporter for Jira Plugin to version 1.055 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version is updated.
🔧 Temporary Workarounds
Restrict Item/Configure Permissions
allLimit Item/Configure permissions to trusted users only to reduce attack surface.
Disable Plugin
allTemporarily disable the Redpen - Pipeline Reporter for Jira Plugin if not essential.
Manage Jenkins > Manage Plugins > Installed > Redpen - Pipeline Reporter for Jira > Disable
🧯 If You Can't Patch
- Implement strict access controls to limit Item/Configure permissions to minimal necessary users.
- Monitor Jenkins logs for unusual file access patterns from the plugin.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed > Redpen - Pipeline Reporter for Jira. If version is 1.054.v7b_9517b_6b_202 or earlier, you are vulnerable.Check Version:
Jenkins web interface: Manage Jenkins > Manage Plugins > Installed > Redpen - Pipeline Reporter for JiraVerify Fix Applied:
Verify plugin version is 1.055 or later in Jenkins Plugin Manager. Test artifact upload functionality to Jira to ensure path validation works.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from the Redpen plugin
- Failed path validation attempts in plugin logs
- Multiple artifact upload attempts with unusual paths
Network Indicators:
- Unusual outbound connections from Jenkins to Jira during non-build times
SIEM Query:
source="jenkins.log" AND "Redpen" AND ("path traversal" OR "invalid path" OR "security-3290")