CVE-2025-64144
Description
Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files, exposing them to users with Item/Extended Read permission or file system access.
Vulnerability
Description
Jenkins ByteGuard Build Actions Plugin 1.0 stores API tokens unencrypted in job config.xml files on the Jenkins controller. This plaintext storage violates security best practices for credential handling [1][3].
Exploitation
Attackers with Item/Extended Read permission can view the stored API tokens via the Jenkins web interface. Additionally, any user with access to the Jenkins controller file system can read the config.xml files directly [1][3]. No further authentication is needed once the token is obtained.
Impact
A successful attacker can leverage the exposed API tokens to authenticate to external services protected by those tokens. The exact capabilities depend on the permissions granted to the token, but could include unauthorized access to build systems, artifact repositories, or other integrated services [1].
Mitigation
Status
The ByteGuard Build Actions Plugin remains unpatched as of the advisory [2]. Administrators should restrict Item/Extended Read permissions and limit file system access to the Jenkins controller. Rotating the stored API tokens and migrating to a credential plugin that encrypts secrets is strongly recommended [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:byteguard-build-actionsMaven | <= 1.0 | — |
Affected products
2- Range: <=1.0
- Jenkins Project/Jenkins ByteGuard Build Actions Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2vmr-8c82-x8xqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64144ghsaADVISORY
- www.jenkins.io/security/advisory/2025-10-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/10/29/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-10-29Jenkins Security Advisories · Oct 29, 2025