Jenkins Missing Permission Check Vulnerability Allows Viewing Encrypted Passwords

A vulnerability exists in Jenkins versions through 2.540 and LTS versions through 2.528.2, where a missing permission check allows users with View/Read permission to access encrypted password values in views. This issue arises because certain plugins can display password fields without the necessary permission validation, leaving these values exposed. As of now, the Jenkins security team is not aware of any actively exploitable implementations of this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized access to encrypted password values, potentially allowing attackers to decrypt and misuse these credentials.

Remediation

Users can update to Jenkins version 2.541 or LTS version 2.528.3, both of which address this vulnerability by requiring View/Configure permission to access encrypted password values in views. For administrators encountering issues, this security fix can be disabled by setting the system property 'hudson.Functions.nonRecursivePasswordMaskingPermissionCheck' to 'true'.