Primary

Context

Jenkins Missing Permission Check Vulnerability Allows Access to Encrypted Secrets in Agent Configuration

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.503 and LTS versions through 2.492.2, where a missing permission check allows attackers with Computer/Create permission, but without Computer/Configure permission, to copy an agent. This exploitation grants access to encrypted secrets stored in the agent's configuration. The issue arises from an incomplete fix of a previous vulnerability (SECURITY-3495).

Impact

Exploitation of this vulnerability allows unauthorized access to encrypted secrets in the copied agent's configuration.

Remediation

Users should update Jenkins to version 2.504 or LTS 2.492.3. For Jenkins plugins, refer to the specific plugin update instructions available on the Jenkins Plugins site.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Missing Permission Check Vulnerability Allows Access to Encrypted Secrets in Agent Configuration

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating