CVE-2025-31720: 
Java vulnerability analysis and mitigation

CVE-2025-31720 is a medium severity vulnerability discovered in Jenkins core that affects versions 2.503 and earlier, and LTS 2.492.2 and earlier. The vulnerability was disclosed on April 2, 2025, and involves a missing permission check in an HTTP endpoint that impacts agent configuration access (Jenkins Advisory, NVD).

The vulnerability stems from a missing permission check in an HTTP endpoint within Jenkins core. It has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent and gain unauthorized access to its configuration. This creates a potential security breach where attackers can access sensitive configuration data they shouldn't have permission to view (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.504 and LTS 2.492.3. The fix implements proper permission checks by requiring Agent/Extended Read permission to copy an agent. Organizations are strongly advised to upgrade to these versions or later to address the vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Daniel Beck from CloudBees, Inc., highlighting the ongoing collaboration between the Jenkins project and security researchers. The Jenkins security team promptly addressed the issue as part of a larger security advisory that included multiple vulnerability fixes (Security Online).