CVE-2025-64143 identifies a vulnerability in the Jenkins OpenShift Pipeline Plugin versions 1.0.57 and earlier, where authorization tokens are stored unencrypted within job configuration files (config.xml) on the Jenkins controller. These tokens are sensitive credentials used to authenticate pipeline operations with OpenShift clusters. Because the tokens are stored in plaintext, any user with Item/Extended Read permission within Jenkins or access to the Jenkins controller's file system can retrieve these tokens. This exposure could allow an attacker to impersonate pipeline operations or access OpenShift resources without further authentication. The vulnerability is classified under CWE-311 (Missing Encryption of Sensitive Data) and has a CVSS 3.1 base score of 4.3, reflecting a medium severity primarily due to confidentiality impact. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. No public exploits are currently known, and no patches have been linked yet. Organizations using Jenkins pipelines integrated with OpenShift should evaluate their exposure, especially if multiple users have read permissions or if the Jenkins controller file system is accessible by unauthorized personnel.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of authorization tokens used in Jenkins pipelines interacting with OpenShift clusters. Exposure of these tokens could lead to unauthorized access to OpenShift environments, potentially allowing attackers to manipulate or disrupt CI/CD workflows, deploy malicious code, or access sensitive application environments. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can facilitate further attacks or lateral movement within the infrastructure. Organizations with extensive DevOps practices leveraging Jenkins and OpenShift are at higher risk. The impact is heightened in environments where Jenkins controllers are shared or where access controls are insufficient. Given the widespread adoption of Jenkins and OpenShift in European enterprises, especially in technology, finance, and manufacturing sectors, the vulnerability could affect critical development pipelines and cloud-native deployments.

To mitigate this vulnerability, European organizations should immediately audit Jenkins user permissions to ensure that only trusted users have Item/Extended Read access. Restricting read permissions reduces the risk of token exposure. Additionally, securing the Jenkins controller file system by enforcing strict OS-level access controls and monitoring for unauthorized access is critical. Organizations should consider encrypting sensitive data at rest within Jenkins configurations, if supported, or using credential management plugins that avoid storing tokens in plaintext. Regularly updating the Jenkins OpenShift Pipeline Plugin to the latest version once a patch is released is essential. In the interim, consider rotating exposed tokens and implementing network segmentation to limit Jenkins controller access. Monitoring Jenkins logs and OpenShift access logs for unusual activity can help detect exploitation attempts. Finally, educating DevOps teams about secure credential handling and minimizing token exposure in pipeline configurations will reduce risk.