logo

Database

Improper authorization control for web services In org.jenkins-ci.main:jenkins-core

Description

Jenkins is missing a permission check on password fields A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-676362. NVD-2025-676363. OSV-2025-676364. GCVE-2025-67636

References

1. https://github.com/jenkinsci/jenkins/commit/3ee7380c5e167fab865f58b52a81ef01c24b9eb22. https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1809

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.