Jenkins Build Authorization Token Exposure Vulnerability

A vulnerability exists in Jenkins versions through 2.540 and LTS through 2.528.2, where build authorization tokens are stored unencrypted in job configuration files on the Jenkins controller. These tokens can be accessed by users with Item/Extended Read permission or those who have access to the Jenkins controller file system. Additionally, the job configuration form fails to mask these tokens, heightening the risk of unauthorized observation and capture. In Jenkins versions 2.541 and LTS 2.528.3, this issue has been addressed by encrypting the tokens and masking them in the job configuration form.

Impact

Exposed build authorization tokens can be observed and captured, potentially leading to unauthorized actions or access within Jenkins.

Remediation

Users should update to Jenkins version 2.541 or LTS 2.528.3. After updating, all affected job configurations can be migrated to the new encrypted format by navigating to 'Manage Jenkins' > 'Manage Old Data' and selecting 'Upgrade' in the 'Old Data Format' section.