CVE-2025-64145

Vulnerability

Description

The Jenkins ByteGuard Build Actions Plugin version 1.0 fails to mask API tokens when displayed on the job configuration form [1][3]. This means that sensitive credential values are shown in plain text rather than being obfuscated (e.g., with asterisks), increasing the likelihood that an attacker who can view the configuration page can capture the token.

Attack

Vector

To exploit this vulnerability, an attacker must have at least Job/Configure permission for a Jenkins job that uses the ByteGuard Build Actions Plugin, as the token is revealed on the job configuration form [1][2]. No special network position is required beyond access to the Jenkins web interface; the configuration form is part of the standard UI. The vulnerability is present in all known versions of the plugin, which remains unpatched as of the advisory date [1][2].

Impact

An attacker who can observe or capture the plaintext API token can use it to authenticate to external services or perform actions on behalf of the Jenkins instance, depending on the scope of the token. The lack of masking directly reduces the security posture of the credential, making it easier to leak through shoulder surfing, session recording, or other monitoring of the configuration page [1][3].

Mitigation

Status

As of the Jenkins Security Advisory dated 2025-10-29, there is no fix available for the ByteGuard Build Actions Plugin; the plugin is listed among those with unresolved security issues [2]. Users are strongly advised to avoid using the plugin in sensitive environments, restrict access to job configuration pages, and consider alternative plugins or workflow patterns that properly mask credentials.