Software development: Jenkins plug-ins store API keys in plain text
Important security updates have been released for various Jenkins plug-ins such as AsakusaSatellite and Simple Queue. Some patches are still pending.
(Image: Tatiana Popova/Shutterstock.com)
Admins of software development environments should update the Jenkins plug-ins AsakusaSatellite, Cadence vManager, monitor-remote-job, Simple Queue, Stack Hammer and Templating Engine to the latest version. However, not all security patches have been released yet. In addition, the developers have closed vulnerabilities in Jenkins Core.
Further information on the affected plug-ins is listed in a warning message.
The dangers
The most dangerous is a vulnerability (CVE-2025-31722 “high”) in Templating Engine. If attackers have Item/Configure permissions, they can bypass the sandbox protection and execute malicious code in the context of the Jenkins controller JVM.
Stack Hammer (CVE-2025-31726 “medium”) and vManager (CVE-2025-31724 “medium”) store API keys in plain text. Attackers can also access unencrypted passwords (monitor-remote-job, CVE-2025-31725 “medium”).
Videos by heise
These security patches are already available:
- Jenkins weekly 2.504
- Jenkins LTS 2.492.3
- Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48
- Simple Queue Plugin 1.4.7
- Templating Engine Plugin 2.5.4
The updates for AsakusaSatellite, monitor-remote-job and Stack Hammer are not yet available. It is not yet clear when they will follow.
(des)
