Primary

Context

Jenkins Missing Permission Check in User Profile Menu Vulnerability

Vulnerability

Patched

A vulnerability exists in Jenkins versions through 2.527 and LTS through 2.516.2, where the authenticated user profile dropdown menu lacks a proper permission check. This oversight allows attackers without Overall/Read permission to access limited information about the Jenkins configuration by enumerating the available options in this menu, such as the presence of the Credentials Plugin. The issue has been addressed in Jenkins 2.528 and LTS 2.516.3, which now require Overall/Read permission to access these menu items.

Impact

Exploitation of this vulnerability could lead to unauthorized access to certain Jenkins configuration details, potentially revealing information about installed plugins or other system settings.

Remediation

Users of Jenkins weekly releases should update to version 2.528, and users of Jenkins LTS should update to version 2.516.3.

Added: Sep 17, 2025, 2:18 PM

Updated: Sep 17, 2025, 2:27 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.9

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Missing Permission Check in User Profile Menu Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating