CVE-2016-3724: Jenkins Exposes Sensitive Information from Job Configuration

May 14, 2022 (updated March 13, 2025)

Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.

References

access.redhat.com/errata/RHSA-2016:1206
github.com/advisories/GHSA-7vvj-qqvj-h8mc
github.com/jenkinsci/jenkins
nvd.nist.gov/vuln/detail/CVE-2016-3724
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
www.cloudbees.com/jenkins-security-advisory-2016-05-11

Code Behaviors & Features

Detect and mitigate CVE-2016-3724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →