The Jenkins Curseforge Publisher Plugin version 1.0 contains a vulnerability identified as CVE-2025-64147, classified under CWE-311 (Cleartext Transmission of Sensitive Information). The plugin fails to mask API keys on the job configuration form within the Jenkins UI, exposing these sensitive credentials to anyone with access to view or edit job configurations. This exposure increases the risk of credential theft, as attackers or unauthorized users can directly observe API keys without additional authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), but requires the attacker to have at least limited privileges (PR:L) within Jenkins. The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. The CVSS v3.1 base score is 4.3, reflecting a medium severity level. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the importance of secure handling and masking of sensitive credentials in CI/CD tools to prevent leakage and subsequent misuse.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of API keys used within Jenkins environments leveraging the Curseforge Publisher Plugin. Exposure of these keys could allow attackers to interact with external services or APIs that the keys authenticate against, potentially leading to unauthorized data access or manipulation outside Jenkins. While the vulnerability itself does not directly affect system integrity or availability, compromised API keys can be leveraged for further attacks, including supply chain compromises or unauthorized deployments. Organizations with extensive Jenkins usage in software development or automation pipelines are at higher risk, especially if access controls are weak or if multiple users have job configuration privileges. The risk is exacerbated in environments where sensitive or critical infrastructure is managed via Jenkins pipelines. Given the medium severity and lack of known exploits, the immediate threat is moderate but should not be underestimated due to the potential for credential misuse.

European organizations should immediately audit Jenkins instances to identify usage of the Curseforge Publisher Plugin version 1.0 and assess exposure of API keys in job configurations. Restrict job configuration access strictly to trusted administrators and implement role-based access controls to minimize the number of users who can view or edit jobs. Consider disabling or removing the vulnerable plugin until a patched version is available. If removal is not feasible, manually mask or encrypt API keys outside of Jenkins job configurations or use Jenkins credentials management features that securely store and mask secrets. Regularly monitor Jenkins logs and audit trails for suspicious access or configuration changes. Educate Jenkins administrators about the risks of exposing API keys and enforce policies to avoid embedding sensitive credentials directly in job configurations. Stay updated with Jenkins security advisories for any forthcoming patches addressing this vulnerability.