logo

Database

Non-encrypted confidential information In org.jenkins-ci.main:jenkins-core

Description

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI.

This allows attackers with Agent/Extended Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent config.xml accessed via REST API or CLI for users lacking Agent/Configure permission.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-276222. NVD-2025-276223. OSV-2025-276224. GCVE-2025-27622

References

1. https://github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d52. https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.