Cleartext storage of sensitive information in Jenkins Cadence vManager plugin
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-31724 |
| CWE-ID | CWE-312 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Cadence vManager Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU106946
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-31724
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin stores Verisium Manager vAPI keys unencrypted in job "config.xml" files on the Jenkins controller as part of its configuration. A remote user can disclose sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCadence vManager: - - 4.0.0-282.v5096a_c2db_275
CPE2.3- cpe:2.3:a:jenkins:cadence_vmanager:*:*:*:*:*:jenkins:*:*
- cpe:2.3:a:jenkins:cadence_vmanager:4.0.0-282.v5096a_c2db_275:*:*:*:*:jenkins:*:*
https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3537
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
