CVE-2025-31720 Overview
A missing permission check vulnerability has been identified in Jenkins that allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, thereby gaining unauthorized access to its configuration. This vulnerability affects Jenkins 2.503 and earlier, as well as LTS 2.492.2 and earlier versions.
Critical Impact
Attackers can exploit insufficient authorization controls to access sensitive agent configuration data, potentially exposing credentials, secrets, and infrastructure details stored in Jenkins agent configurations.
Affected Products
- Jenkins 2.503 and earlier
- Jenkins LTS 2.492.2 and earlier
Discovery Timeline
- 2025-04-02 - CVE-2025-31720 published to NVD
- 2025-04-29 - Last updated in NVD database
Technical Details for CVE-2025-31720
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a broken access control flaw in the Jenkins authorization framework. The core issue lies in how Jenkins handles permission validation when users attempt to copy agent configurations.
When a user initiates an agent copy operation, Jenkins correctly verifies the Computer/Create permission but fails to validate whether the user also possesses the Computer/Extended Read permission. The Computer/Extended Read permission is specifically designed to control access to sensitive agent configuration details, including connection credentials, environment variables, and node properties.
By exploiting this gap, an attacker with only Computer/Create privileges can bypass the intended authorization model and extract configuration data that should require elevated permissions to view. This exposes potentially sensitive information such as SSH credentials, cloud provider API keys, or other secrets embedded in agent configurations.
Root Cause
The root cause is a missing permission check in the agent copy functionality within Jenkins core. The authorization logic performs an incomplete permission validation, checking only for Computer/Create permission while neglecting to enforce the Computer/Extended Read permission requirement. This oversight allows users to perform actions that exceed their intended authorization scope.
Attack Vector
The attack is network-based and requires authenticated access with at least Computer/Create permission. An attacker would:
- Authenticate to the Jenkins instance with a user account possessing Computer/Create permission
- Initiate a copy operation on an existing agent/node
- The copy operation succeeds without validating Computer/Extended Read permission
- The attacker gains access to the full agent configuration, including sensitive data
The vulnerability can be exploited through the Jenkins web interface or API endpoints that handle agent management operations. For detailed technical information, refer to the Jenkins Security Advisory #SECURITY-3512.
Detection Methods for CVE-2025-31720
Indicators of Compromise
- Unexpected agent copy operations performed by users who lack Computer/Extended Read permission
- Audit log entries showing agent duplication activities from accounts with limited privileges
- New agents appearing in Jenkins configuration that mirror existing agent settings
Detection Strategies
- Review Jenkins audit logs for agent copy operations and correlate with user permission levels
- Monitor API calls to agent management endpoints for suspicious activity patterns
- Implement alerting on agent creation events and validate against authorized user lists
- Cross-reference user permission assignments with recent agent management activities
Monitoring Recommendations
- Enable comprehensive audit logging in Jenkins to capture all agent-related operations
- Configure SIEM integration to detect anomalous permission usage patterns
- Regularly review user permission assignments to ensure least-privilege principles
- Monitor for configuration changes on sensitive agents containing credentials or secrets
How to Mitigate CVE-2025-31720
Immediate Actions Required
- Upgrade Jenkins to version 2.504 or later (or LTS 2.492.3 or later)
- Audit current user permissions and restrict Computer/Create permission to trusted users only
- Review existing agent configurations for sensitive data exposure
- Implement network segmentation to limit access to Jenkins management interfaces
Patch Information
Jenkins has released security updates addressing this vulnerability. Administrators should upgrade to Jenkins 2.504 or later for the weekly release line, or LTS 2.492.3 or later for the Long-Term Support release line. Detailed patch information is available in the Jenkins Security Advisory #SECURITY-3512.
Workarounds
- Restrict Computer/Create permission to only those users who also have Computer/Extended Read permission
- Review and audit all users with agent management capabilities
- Consider removing sensitive credentials from agent configurations and using Jenkins Credentials Plugin instead
- Implement role-based access control (RBAC) plugins for more granular permission management
# Review users with Computer/Create permission in Jenkins
# Navigate to: Manage Jenkins > Security > Configure Global Security
# Audit Matrix-based security or Role-based strategy permissions
# Recommended: Use Jenkins CLI to list user permissions
java -jar jenkins-cli.jar -s http://your-jenkins-url/ who-am-i
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
