4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67643

CVE-2025-67643: Jenkins Redpen - Pipeline Reporter for Jira Plugin has a path traversal vulnerability

Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67643

CVE-2025-67643:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkinsci.plugins:pipeline-reporter-by-redpen	maven	<= 1.054

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal in the Jenkins Redpen - Pipeline Reporter for Jira Plugin. The security advisory states that the plugin fails to properly validate the path of the workspace directory when uploading artifacts to Jira. Analysis of the source code, specifically RedpenJenkinsCore.java and RedpenService.java, confirms this flaw.

The execution flow starts at org.jenkinsci.plugins.redpen.service.RedpenJenkinsCore.doPerform, which is the main entry point and receives a ParameterModel object. An attacker with Item/Configure permission can manipulate the properties of this model, including the logAbsolutePath.

The doPerform method then calls the private addAttachments method. Inside addAttachments, the line File buildLogFile = new File(parameter.getLogAbsolutePath()); creates a File object using the user-controlled path without any validation to ensure it is within the Jenkins workspace. While other file attachment logic within the same method correctly performs path validation using startsWith(workspaceBasePath), this crucial validation is missing for the build log file.

Finally, this unvalidated File object is passed to org.jenkinsci.plugins.redpen.service.RedpenService.addAttachment. This service method proceeds to read the file from the filesystem and upload its contents to Jira. This allows an attacker to specify an arbitrary file path on the Jenkins controller (e.g., ../../../../../../etc/passwd) and have its contents uploaded to Jira, leading to information disclosure.

Vulnerable functions

org.jenkinsci.plugins.redpen.service.RedpenJenkinsCore.doPerform

src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java

This is the public entry point for the plugin's logic. It receives a `ParameterModel` object which can be controlled by an attacker with Item/Configure permissions. This model contains the path to the build log file (`logAbsolutePath`), which is the source of the path traversal vulnerability.

org.jenkinsci.plugins.redpen.service.RedpenJenkinsCore.addAttachments

src/main/java/org/jenkinsci/plugins/redpen/service/RedpenJenkinsCore.java

This function is responsible for gathering all attachments. It directly uses the `logAbsolutePath` from the `ParameterModel` to create a `File` object without any path validation. Other file paths handled in this function are validated (e.g., using `startsWith(workspaceBasePath)`), but the build log path is not, which is the core of the vulnerability.

org.jenkinsci.plugins.redpen.service.RedpenService.addAttachment

src/main/java/org/jenkinsci/plugins/redpen/service/RedpenService.java

This function in the `RedpenService` class is responsible for the actual file upload to Jira. It receives the `File` object created with the malicious path from `RedpenJenkinsCore.addAttachments` and reads its contents via `new FileBody(file, ...)` to be uploaded, effectively accessing a file outside the intended directory.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67643: Jenkins Redpen - Pipeline Reporter for Jira Plugin has a path traversal vulnerability

CVE-2025-67643:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-67643: Jenkins Redpen - Pipeline Reporter for Jira Plugin has a path traversal vulnerability

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI