Miggo Logo
Miggo Vulnerability Database
CVE-2025-64139

CVE-2025-64139: Jenkins Start Windocks Containers Plugin is missing a permission check

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64139
GHSA ID
GHSA-mj6v-4wr4-gj57
EPSS Score
-
CWE
CWE-862
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:windocks-start-containermaven<= 1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in an unsecured HTTP endpoint within the Jenkins Start Windocks Containers Plugin. The analysis of the plugin's source code, specifically the WinDocksBuilder.java file, revealed that the doFillImageItems method in the nested DescriptorImpl class is exposed without any permission checks. This method is intended to populate a UI dropdown with Docker image names from a given Windocks server IP.

The doFillImageItems method takes an ipaddress as a query parameter and passes it to the GetImages method. The GetImages method then constructs a URL with the provided ipaddress and makes an HTTP GET request to fetch image data. Because there is no validation on the ipaddress parameter, an attacker with only Overall/Read permissions can craft a request to this endpoint, forcing the Jenkins server to make a request to any URL or IP address on their behalf. This constitutes a Server-Side Request Forgery (SSRF) vulnerability. The advisory also correctly points out that the endpoint is vulnerable to Cross-Site Request Forgery (CSRF) because it responds to GET requests, which can be triggered from a malicious website visited by a logged-in Jenkins user.

Vulnerable functions

windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.doFillImageItems
src/main/java/windockspkg/windocksplug/WinDocksBuilder.java
This method is an unsecured HTTP endpoint in the plugin. It takes an 'ipaddress' parameter from the user and uses it to call the `GetImages` function. There are no permission checks to verify if the user is authorized to perform this action, allowing any user with Overall/Read permissions to trigger it. This leads to a Server-Side Request Forgery (SSRF) vulnerability. Additionally, as it does not require a POST request, it is vulnerable to Cross-Site Request Forgery (CSRF).
windockspkg.windocksplug.WinDocksBuilder$DescriptorImpl.GetImages
src/main/java/windockspkg/windocksplug/WinDocksBuilder.java
This function is called by `doFillImageItems` and is responsible for the SSRF vulnerability. It constructs a URL using the user-provided 'ipAddress' without any validation or sanitization. It then makes an HTTP GET request to this crafted URL, causing the Jenkins server to send a request to an arbitrary address specified by the attacker.

WAF Protection Rules

WAF Rule

J*nkins St*rt Win*o*ks *ont*in*rs Plu*in *.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in *n *TTP *n*point. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL. ***ition*lly, t*is *n*point *o*s not r*qui

Reasoning

T** vuln*r**ility li*s in *n uns**ur** *TTP *n*point wit*in t** J*nkins St*rt Win*o*ks *ont*in*rs Plu*in. T** *n*lysis o* t** plu*in's sour** *o**, sp**i*i**lly t** `Win*o*ks*uil**r.j*v*` *il*, r*v**l** t**t t** `*o*illIm***It*ms` m*t*o* in t** n*st*