CVE-2025-64143
Description
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenShift Pipeline Plugin <=1.0.57 stores authorization tokens unencrypted in job config files, exposing them to users with Item/Extended Read permission or file system access.
Vulnerability
Description The Jenkins OpenShift Pipeline Plugin up to version 1.0.57 stores authorization tokens (used for authenticating to the OpenShift API) in plaintext within job config.xml files on the Jenkins controller [2][4]. This is a case of insecure storage of sensitive data, as the tokens are not encrypted or masked.
Exploitation
To exploit this vulnerability, an attacker needs either the Item/Extended Read permission on a Jenkins job (which allows viewing job configuration) or direct access to the Jenkins controller's file system [2][4]. No authentication to OpenShift is required; the tokens are already present in the Jenkins configuration.
Impact
If successful, an attacker can retrieve the authorization tokens and use them to authenticate to the OpenShift cluster as the Jenkins service account. Depending on the permissions granted to that account, this could lead to unauthorized access to OpenShift resources, including the ability to deploy pods, modify configurations, or access secrets [2].
Mitigation
As of the Jenkins Security Advisory 2025-10-29, no fix has been released for this vulnerability; it is listed as unresolved [3]. Users are advised to restrict Item/Extended Read permissions to trusted users and limit file system access to the Jenkins controller. Additionally, the plugin is deprecated for OpenShift versions after 3.11, and migration to the OpenShift Client Plugin is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.openshift.jenkins:openshift-pipelineMaven | <= 1.0.57 | — |
Affected products
2- Range: <=1.0.57
- Jenkins Project/Jenkins OpenShift Pipeline Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4653-9q2r-684qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64143ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025