CVE-2025-27622 — Cleartext Storage of Sensitive Info in Jenkins

CWE-312 — Cleartext Storage of Sensitive Info CWE-319 — Cleartext Transmission of Sensitive Info CWE-862 — Missing Authorization7 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 38.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Core Jenkins LTS +1 more

Timeline

PublishedMar 5

Latest updateApr 2

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDjenkins/jenkins< 2.492.2+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶jenkinsjenkins/jenkins_weekly

🔴Vulnerability Details

GHSA

Jenkins Missing Permission Check↗2025-04-02

▶

OSV

Jenkins Missing Permission Check↗2025-04-02

▶

OSV

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission↗2025-03-06

▶

GHSA

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission↗2025-03-06

▶

📋Vendor Advisories

Red Hat

jenkins: Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission↗2025-03-05

▶

Jenkins

Jenkins Security Advisory 2025-03-05↗2025-03-05

▶