Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1wMzRqLXIzY2gtYzk4Nc4ABFJJ

Moderate EPSS: 0.00026% (0.05508 Percentile) EPSS:
Permalink JSON

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

Affected Packages Affected Versions Fixed Versions
maven:org.jenkins-ci.main:jenkins-core < 2.492.2, >= 2.493, < 2.500 2.492.2, 2.500

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI.

This allows attackers with Agent/Extended Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent config.xml accessed via REST API or CLI for users lacking Agent/Configure permission.

References:

Identifiers

GHSA-p34j-r3ch-c985

CVE-2025-27622

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00026

EPSS Percentile: 0.05508

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

5 months ago

Updated

5 months ago

API

JSON