Primary

Context

Jenkins Encrypted Secrets Exposure Vulnerability in View Configuration

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.499 and LTS through 2.492.1, where encrypted values of secrets are not redacted when the 'config.xml' of views is accessed via the REST API or CLI. This oversight allows users with View/Read permission to view sensitive encrypted information. The issue is similar to a previously reported vulnerability that exposed encrypted secrets in agent configurations to users with Agent/Extended Read permission.

Impact

Exploitation of this vulnerability allows for unauthorized access to encrypted secrets, such as passwords, by users with View/Read permission.

Remediation

Users of Jenkins weekly releases should update to version 2.500, and users of Jenkins LTS should update to version 2.492.2. These versions include the necessary fix to redact encrypted values of secrets in view 'config.xml' when accessed via the REST API or CLI.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Encrypted Secrets Exposure Vulnerability in View Configuration

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating