CVE-2025-31721 Overview
A missing permission check vulnerability has been identified in Jenkins that allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining unauthorized access to encrypted secrets stored in the agent's configuration. This authorization bypass flaw affects Jenkins 2.503 and earlier, as well as LTS 2.492.2 and earlier versions.
Critical Impact
Attackers with limited permissions can bypass authorization controls to access encrypted secrets in agent configurations, potentially exposing sensitive credentials and enabling further compromise of CI/CD pipelines.
Affected Products
- Jenkins 2.503 and earlier
- Jenkins LTS 2.492.2 and earlier
Discovery Timeline
- 2025-04-02 - CVE-2025-31721 published to NVD
- 2025-04-29 - Last updated in NVD database
Technical Details for CVE-2025-31721
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a broken access control flaw in Jenkins' agent management functionality. The security issue arises from an incomplete permission check when users attempt to copy agent configurations.
In Jenkins, the permission model separates Computer/Create (ability to create new agents) from Computer/Configure (ability to modify existing agent configurations). The vulnerability occurs because the copy agent operation only validates Computer/Create permission while failing to verify that the user also has Computer/Configure permission on the source agent being copied.
When an agent is copied, all configuration data—including encrypted secrets such as credentials, SSH keys, and authentication tokens—is transferred to the new agent. An attacker exploiting this flaw can effectively read configuration data they should not have access to by creating a duplicate agent and then accessing its configuration through legitimate means.
Root Cause
The root cause is a missing authorization check in the Jenkins agent copy functionality. The code path responsible for duplicating agent configurations does not properly enforce the Computer/Configure permission on the source agent, allowing users with only Computer/Create permission to access sensitive configuration data through the copy operation.
Attack Vector
The attack is network-accessible and requires low-privileged authenticated access to Jenkins. An attacker must have:
- Valid Jenkins credentials with Computer/Create permission
- Knowledge of existing agent names to target for copying
The exploitation flow involves the attacker initiating a copy operation on a target agent. Since the permission check is missing, Jenkins processes the request and creates a new agent with the copied configuration, including any encrypted secrets. The attacker can then access these secrets through the newly created agent's configuration that they now control.
Detection Methods for CVE-2025-31721
Indicators of Compromise
- Unusual agent creation activity from users who do not typically manage build agents
- Agent copy operations performed by accounts with limited administrative privileges
- New agents appearing with configurations copied from high-privilege or production agents
- Audit log entries showing agent duplication without corresponding Computer/Configure permission grants
Detection Strategies
- Review Jenkins audit logs for agent copy operations and correlate with user permission levels
- Monitor for new agent creation events that duplicate existing agent names or configurations
- Implement alerting on bulk agent creation activities or rapid sequential agent operations
- Cross-reference agent creation events with the permission matrix to identify anomalous access patterns
Monitoring Recommendations
- Enable comprehensive audit logging in Jenkins to capture all agent management operations
- Configure SIEM integration to ingest Jenkins security events for correlation analysis
- Establish baseline metrics for normal agent creation patterns to detect anomalies
- Regularly review the Jenkins authorization matrix to ensure proper permission segregation
How to Mitigate CVE-2025-31721
Immediate Actions Required
- Upgrade Jenkins to version 2.504 or later (or LTS 2.492.3 or later)
- Review current user permissions and restrict Computer/Create permission to only necessary accounts
- Audit existing agents to identify any unauthorized copies that may have been created
- Rotate any secrets stored in agent configurations as a precautionary measure
Patch Information
Jenkins has addressed this vulnerability in the security advisory SECURITY-3513. Organizations should upgrade to Jenkins 2.504 or later for weekly releases, or Jenkins LTS 2.492.3 or later for long-term support releases. The patch adds the missing Computer/Configure permission check to the agent copy functionality.
Workarounds
- Restrict Computer/Create permission to only highly trusted administrators until the patch can be applied
- Use Jenkins' matrix-based security to implement granular access controls on agent management
- Remove sensitive credentials from agent configurations where possible and use external credential providers
- Monitor agent creation activities manually if automated monitoring is not available
# Configuration example - Review and restrict agent permissions in Jenkins
# Navigate to: Manage Jenkins -> Security -> Authorization
# Ensure Computer/Create is only granted to trusted administrators
# Consider using Role-Based Access Control plugin for granular permissions
# To check current permission assignments via Jenkins CLI:
java -jar jenkins-cli.jar -s http://your-jenkins-url/ who-am-i
java -jar jenkins-cli.jar -s http://your-jenkins-url/ list-jobs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
