Primary

Context

Jenkins Missing Permission Check Vulnerability Allows Unauthorized Access to Agent Configurations

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.503 and LTS versions through 2.492.2, where a missing permission check allows attackers with Computer/Create permission, but without Computer/Extended Read permission, to copy an agent and access its configuration. This issue arises from an HTTP endpoint that does not properly validate permissions before allowing the copying of agent data.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive agent configuration details, potentially including secrets or other confidential information.

Remediation

Users should update to Jenkins version 2.504 or LTS version 2.492.3, both of which include the necessary permission checks to prevent unauthorized access to agent configurations.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Missing Permission Check Vulnerability Allows Unauthorized Access to Agent Configurations

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating