logo

Database

Improper authorization control for web services In org.jenkins-ci.main:jenkins-core

Description

Jenkins Missing Permission Check Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration.

This is due to an incomplete fix of SECURITY-3495/CVE-2025-27622.

Jenkins 2.504, LTS 2.492.3 requires Computer/Configure permission to copy an agent containing secrets.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-317212. NVD-2025-317213. OSV-2025-317214. GCVE-2025-31721

References

1. https://github.com/jenkinsci/jenkins/commit/b3651b475302e8dba20fc63c1ff89d144ec652f02. https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3513

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.