Miggo Logo
Miggo Vulnerability Database
CVE-2025-64145

CVE-2025-64145: Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64145
GHSA ID
GHSA-vmm2-53rc-43v3
EPSS Score
-
CWE
CWE-311
Published
10/29/2025
Updated
10/29/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:byteguard-build-actionsmaven<= 1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the io.jenkins.plugins.BytegaurdActionBuilder class, which handles the configuration for the build step. The core of the issue is the handling of the token field, which is used for authentication with the ByteGuard API.

  1. Unencrypted Storage: The token is declared as a private final String. When a user configures a job using this build step, Jenkins uses the @DataBoundConstructor to instantiate the BytegaurdActionBuilder. The provided token is stored in the token field. Because the field is a standard String and not a hudson.util.Secret, Jenkins serializes it directly into the job's config.xml file in plain text. Anyone with access to the Jenkins controller's file system or with Item/ExtendedRead permission can view this sensitive credential.

  2. Unmasked Credential in UI: The getToken() getter method returns the token as a plain String. This getter is used by the associated config.jelly view file to render the configuration form. A standard <f:textbox> field bound to this getter will display the token in cleartext. This allows any user who can access the job's configuration page to see the API token, increasing the risk of accidental exposure or malicious capture.

The fix for this type of vulnerability typically involves changing the token field type from String to hudson.util.Secret and updating the constructor and getter accordingly. The corresponding Jelly file would also be updated to use an <f:password/> field, which automatically handles masking in the UI and encryption on the backend. As no fix is available, the identified functions represent the current vulnerable implementation.

Vulnerable functions

io.jenkins.plugins.BytegaurdActionBuilder.BytegaurdActionBuilder
src/main/java/io/jenkins/plugins/BytegaurdActionBuilder.java
This constructor is bound to the Jenkins configuration form. It accepts the 'token' as a plain String and stores it in a String field. Jenkins persists this field as-is in the job's config.xml file, resulting in the unencrypted storage of the API token.
io.jenkins.plugins.BytegaurdActionBuilder.getToken
src/main/java/io/jenkins/plugins/BytegaurdActionBuilder.java
This getter method exposes the stored API token. It is used by Jenkins' UI (via a Jelly script) to populate the value of the token field on the job configuration page. Because it returns a plain String, the token is displayed in cleartext in the web interface, exposing it to any user with permission to view the job configuration.

WAF Protection Rules

WAF Rule

J*nkins *yt**u*r* *uil* **tions Plu*in *.* *n* **rli*r stor*s *PI tok*ns un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* tok*ns **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmission or ****ss t

Reasoning

T** vuln*r**ility li*s in t** `io.j*nkins.plu*ins.*yt***ur***tion*uil**r` *l*ss, w*i** **n*l*s t** *on*i*ur*tion *or t** *uil* st*p. T** *or* o* t** issu* is t** **n*lin* o* t** `tok*n` *i*l*, w*i** is us** *or *ut**nti**tion wit* t** *yt**u*r* *PI.