Is Your Jenkins Open? Critical SAML Bypass Flaw and MCP Plugin Vulnerabilities Exposed.

TL;DR — Patch, Lock Down, Hunt

• Critical risk: SAML Plugin replay auth bypass lets an attacker who can capture SAML flow data replay it to log in as a user. Fix: update to 4.583.585.v22ccc1139f55 (adds replay cache). 
• Privilege abuse: MCP Server Plugin missing permission checks let Item/Read users trigger builds and read SCM/Cloud info. Fix: update to 0.86.v7d3355e6a_a_18. 
• Also flagged: CSRF in Extensible Choice Parameter (no fix yet) and several other plugin issues—disable or restrict access until patched. 
• Action now: Patch, disable internet exposure, force SSO re-auth, review audit logs for suspicious replays/build triggers, and rotate tokens on compromise suspicion.

Background: Why Jenkins Exposure = Rapid CI/CD Takeover

Publicly exposed Jenkins often holds PATs, cloud keys, and deploy credentials. Authentication bypass or missing authorization on plugins quickly becomes org-wide compromise (code pushes, artifact poisoning, secret theft). This advisory adds SAML replay and MCP permission issues to an already high-value target list. 

The New Flaws (SAML & MCP) in Plain English

SAML Plugin — Authentication Replay

CVE-2025-64131: Affected SAML versions did not implement a replay cache. If an attacker can observe SAML traffic (e.g., via proxy, misconfigured TLS termination, or adjacent position), they can replay a captured request and authenticate as the victim. The fixed build adds a replay cache to reject duplicates. 

MCP Server Plugin — Missing Permission Checks

CVE-2025-64132: Older MCP Server builds let users with only Item/Read trigger builds, peek at SCM config, and enumerate clouds via specific tools. Updated version enforces permission checks. 

Related Plugin Risks to Watch

• Extensible Choice Parameter — CSRF can execute sandboxed Groovy code (no fix yet; disable or restrict). 
• Others in the Oct-29 pack include JDepend (XXE), Azure CLI (command exec paths), Nexus Task Runner, Themis, Windocks, OpenShift Pipeline, etc. Review advisory for each. 

Affected & Fixed Versions

• SAML Plugin: affected up to 4.583.vc68232f7018a_; update to 4.583.585.v22ccc1139f55. 
• MCP Server Plugin: affected up to 0.84.v50ca_24ef83f2; update to 0.86.v7d3355e6a_a_18. 
• Extensible Choice Parameter: affected up to 239.v5f5c278708cf; no fix (disable/limit). 

Vulnerability records: NVD pages for CVE-2025-64131 (SAML) and CVE-2025-64132 (MCP) confirm impact and reference the advisory; Tenable/Nessus plugin lists detection logic. 

Rapid Triage & Containment (60–120 mins)

1. Freeze exposure: If Jenkins is on the internet, put it behind VPN/ZTNA or disable external access. Enforce HTTPS end-to-end (no SSL offload leaks).
2. Patch now: Upgrade SAML + MCP plugins to fixed builds; disable Extensible Choice Parameter until a fix ships. 
3. Force re-auth: Invalidate existing sessions after SAML fix; rotate admin/API tokens if you suspect replayed logins.
4. Audit builds: Look for builds triggered by users lacking Item/Build or from service accounts with only read-level perms (possible MCP abuse). 
5. Review config: Check SCM/Cloud config reads by unexpected users; tighten Folder/Project permissions.
6. Backups & secrets: Assume exposed jobs may leak repos and secrets; rotate PATs, SSH keys, cloud creds used in jobs.

Hunt Queries & Indicators

1) Suspicious SAML logins (replay pattern)

• Multiple successful SAML assertions for the same user within seconds/minutes from different IPs/UAs.
• Logins via reverse proxies not terminating TLS properly; unexpected X-Forwarded-For sources.

2) Unauthorized build triggers (MCP)

• API calls to MCP tool endpoints (e.g., triggerBuild, getJobScm, getStatus) by users without Item/Build or Extended Read. 
• Builds queued by unfamiliar service accounts; sudden cloud agent provisioning after read-only access.

3) High-value artifacts

• Audit config.xml for tokens stored by affected plugins (see advisory list). Lock down filesystem access.
• SIEM: alert on anonymous or low-privilege users hitting credential-touching endpoints.

Hardening Jenkins (Least-Privilege & Exposure)

• Network: Private-only; VPN/ZTNA; strict egress from controller/agents.
• Identity: Enforce SSO with signed/encrypted assertions; clock sync; logout on browser close; short session TTLs.
• Permissions: Deny Overall/Read to anonymous; use Folders + RBAC; no broad Item/Read.
• Plugins: Keep a minimal allowlist; auto-update disabled for risky plugins; subscribe to Jenkins advisories.
• Secrets: Move creds to a vault; rotate on every incident; use short-lived cloud tokens where possible.

CyberDudeBivash Services, Apps & Ecosystem

Services (Hire Us)

• Jenkins Exposure Review & Hardening
• CI/CD Incident Response & Token Rotation
• RBAC & Plugin Governance Program
• Supply-Chain Security & Build Provenance

Our Departments & Pages

• Main Site — Apps & Services
• CyberBivash — Threat Intel & CVEs
• CryptoBivash — Crypto/Blockchain
• CyberDudeBivash News — Headlines
• ThreatWire Newsletter

FAQ

Does the SAML issue require network sniffing?

Yes—attackers must obtain SAML flow info to replay it; poor TLS handling or a malicious/compromised proxy can make this feasible. The fix adds a replay cache. 

We only grant Item/Read to most users. Is MCP still risky?

Yes. Pre-fix MCP allowed read-level users to trigger builds and see SCM/cloud details. Update to the fixed version to enforce checks. 

Are these in CISA KEV?

As of Oct 30, 2025 IST, they are newly published CVEs; monitor KEV for additions and set patch SLAs accordingly. 

Sources

• Jenkins Security Advisory — 2025-10-29 (SAML replay, MCP permission checks, related plugins; fixed versions). 
• NVD — CVE-2025-64131 (SAML replay cache missing).
• NVD — CVE-2025-64132 (MCP Server missing permission checks). 
• Tenable Nessus plugin summary for the Oct-29 Jenkins plugins advisory. 
• Coverage & explainer on SAML/MCP plugin issues.