CVE-2025-31724Plaintext Storage of a Password in Jenkins Cadence Vmanager

CWE-256Plaintext Storage of a PasswordCWE-312Cleartext Storage of Sensitive Info5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 32.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Cadence VmanagerJenkins Project Jenkins Cadence Vmanager Plugin
Timeline
PublishedApr 2

Description

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_cadence_vmanager_plugin4.0.0-282.v5096a_c2db_275
NVDjenkins/cadence_vmanager< 4.0.1-286.v9e25a_740b_a_48

🔴Vulnerability Details

3
CVEList
CVE-2025-31724: Jenkins Cadence vManager Plugin 42025-04-02
OSV
Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted2025-04-02
GHSA
Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted2025-04-02

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2025-04-022025-04-02
CVE-2025-31724 — Plaintext Storage of a Password | cvebase