CVE-2025-64137

Vulnerability

Overview

The Jenkins Themis Plugin, versions 1.4.1 and earlier, contains a missing permission check vulnerability. This flaw allows an attacker with only Overall/Read permission to cause the plugin to make an HTTP connection to a server specified by the attacker, rather than the intended Themis instance [1][2]. The plugin is designed to communicate with a Themis instance for sending report files and refresh requests, but the insufficient permission validation enables unauthorized outbound connections [3].

Exploitation

Context

To exploit this vulnerability, an attacker must have Overall/Read permission on the Jenkins instance, which is a low-privilege permission typically granted to many users. The attacker can then configure the plugin to connect to an arbitrary HTTP server of their choosing, potentially exfiltrating data or using the Jenkins server as a pivot for further attacks [1][2]. The plugin's configuration fields, such as the Themis instance URL, are exposed to users with this permission level, and no additional check verifies that the user is authorized to modify network destinations [3].

Impact and

Mitigation

The impact is that an attacker can force the Jenkins server to initiate HTTP connections to external hosts under their control, which could be used for reconnaissance, data exfiltration, or as part of a larger attack chain. As of the advisory, no patch is available for the Themis Plugin, and it is listed among unresolved vulnerabilities in the Jenkins Security Advisory [1][2]. Administrators are advised to restrict Overall/Read permission where possible or monitor for anomalous outbound connections from the Jenkins server until a fix is released [1].