CVE-2025-27623: Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.
This allows attackers with View/Read permission to view encrypted values of secrets.
Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.
References
Code Behaviors & Features
Detect and mitigate CVE-2025-27623 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →