PT-2025-14511 · Jenkins+1 · Jenkins+1

Daniel Beck

Published

2025-04-02

Updated

2025-04-29

CVE-2025-31721

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.503 and earlier Jenkins LTS versions 2.492.2 and earlier

Description A missing permission check in Jenkins allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.

Recommendations For Jenkins versions 2.503 and earlier, update to a version that includes the fix for the missing permission check. For Jenkins LTS versions 2.492.2 and earlier, update to a version that includes the fix for the missing permission check. As a temporary workaround, consider restricting access to the agent copying feature to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

BDU:2025-03793

BIT-JENKINS-2025-31721

CVE-2025-31721

GHSA-WR6W-JXG7-QPFH

Affected Products

Jenkins

Red Os

PT-2025-14511 · Jenkins+1 · Jenkins+1

CVE-2025-31721

Weakness Enumeration

Related Identifiers

Affected Products

References · 16