Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

GHSA-rfh6-9r2q-98vf · BIT-jenkins-2025-27623 · CVE-2025-27623

Published Mar 6, 2025 · Modified Feb 4, 2026

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.

This allows attackers with View/Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-27623
WEB https://github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d5
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3496

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes