CVE-2025-27622 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.493 <2.500 || >=0 <2.492.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.04728

Details

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent `config.xml` accessed via REST API or CLI for users lacking Agent/Configure permission.

Metadata

Created: 2025-03-06T00:31:56Z
Modified: 2025-03-06T22:30:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-p34j-r3ch-c985/GHSA-p34j-r3ch-c985.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-p34j-r3ch-c985
Finding: F020
Auto approve: 1