Primary

Context

Jenkins Encrypted Secrets Exposure Vulnerability

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.499 and LTS versions through 2.492.1, where encrypted values of secrets are not properly redacted in the 'config.xml' files of agents. This oversight allows users with Agent/Extended Read permission to access and view these encrypted secrets via the REST API or command-line interface (CLI).

Impact

Exploitation of this vulnerability allows for the unauthorized disclosure of encrypted secrets, such as passwords, to users with Agent/Extended Read permission.

Remediation

Users of Jenkins weekly releases should update to version 2.500. Users of Jenkins LTS should update to version 2.492.2.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Encrypted Secrets Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating