CVE-2025-27623 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.492.2 || >=2.493 <2.500

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00069 pctl0.21641

Details

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI. This allows attackers with View/Read permission to view encrypted values of secrets. Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission.

Metadata

Created: 2025-03-06T00:31:56Z
Modified: 2025-03-06T22:29:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rfh6-9r2q-98vf/GHSA-rfh6-9r2q-98vf.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-rfh6-9r2q-98vf
Finding: F020
Auto approve: 1