CVE-2025-27622

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.499 and earlier Jenkins LTS versions 2.492.1 and earlier

Description The issue allows attackers with Agent/Extended Read permission to view encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This is because Jenkins does not redact encrypted values of secrets in these scenarios. Attackers may potentially store attacker-controlled content in other users' profiles.

Recommendations For Jenkins versions 2.499 and earlier, update to version 2.500 or later to ensure encrypted values of secrets are redacted when accessing config.xml of agents via REST API or CLI. For Jenkins LTS versions 2.492.1 and earlier, update to version 2.492.2 or later to ensure encrypted values of secrets are redacted when accessing config.xml of agents via REST API or CLI. As a temporary workaround, consider restricting access to the REST API and CLI for users with Agent/Extended Read permission to minimize the risk of exploitation.