PT-2025-9860 · Jenkins+1 · Jenkins+1
Daniel Beck
·
Published
2025-03-05
·
Updated
2025-06-24
·
CVE-2025-27623
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins versions 2.499 and earlier, LTS versions 2.492.1 and earlier
Description
The issue allows attackers with View/Read permission to view encrypted values of secrets when accessing
config.xml of views via REST API or CLI. This occurs because Jenkins does not redact encrypted values of secrets in the specified versions.Recommendations
For Jenkins versions 2.499 and earlier, update to version 2.500 or later to redact encrypted values of secrets stored in view
config.xml accessed via REST API or CLI for users lacking View/Configure permission.
For LTS versions 2.492.1 and earlier, update to version 2.492.2 or later to redact encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.Fix
Cleartext Storage of Sensitive Information
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Red Os