Listen to this Post
How CVE-2025-31720 Works
Jenkins 2.503 and earlier, including LTS 2.492.2, fails to enforce proper permission checks when copying agent configurations. Attackers with `Computer/Create` permission but lacking `Computer/Extended Read` permission can exploit this flaw to duplicate an agent and access its sensitive configuration details. This bypasses intended security controls, potentially exposing credentials, environment variables, or other restricted agent settings. The vulnerability stems from inadequate validation during the agent copy operation, allowing privilege escalation within Jenkins’ node management system.
DailyCVE Form
Platform: Jenkins
Version: ≤ 2.503 / ≤ 2.492.2 (LTS)
Vulnerability: Missing Permission Check
Severity: Medium
Date: 04/29/2025
What Undercode Say:
Exploitation:
1. Replication Steps:
- Authenticate with `Computer/Create` but no
Extended Read. - Trigger agent copy via API:
curl -X POST -u attacker:password http://jenkins/computer/agent1/doCopy --data "name=agent2"
- Access stolen configs at `http://jenkins/computer/agent2/configure`.
2. Metasploit Module (Hypothetical):
module.exploit('jenkins/agent_copy') do
set('RHOSTS', 'target_jenkins')
set('USERNAME', 'attacker')
set('PASSWORD', 'password')
end
Mitigation:
1. Patch Upgrade:
sudo apt-get update && sudo apt-get install jenkins=2.504
2. Temporary Workaround:
- Revoke `Computer/Create` from untrusted users.
- Audit agent configs via:
Jenkins.instance.computers.each { println it.name + ":" + it.config.xml }
3. Network Controls:
iptables -A INPUT -p tcp --dport 8080 -s trusted_ip -j ACCEPT
Detection:
- Log Analysis:
grep "doCopy" /var/log/jenkins/access.log
- YARA Rule:
rule jenkins_agent_copy { strings: $s = "POST /computer//doCopy" condition: $s }
Credential Rotation:
- Use Jenkins CLI to reset exposed secrets:
java -jar jenkins-cli.jar -s http://localhost/ reload-configuration
(End of Technical Brief)
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
