Jenkins, Information Disclosure, CVE-2025-XXXX (Moderate)

By /

How the CVE Works:

This vulnerability exists in Jenkins versions 2.499 and earlier, including LTS 2.492.1 and earlier. The issue arises when accessing the `config.xml` file of views via the REST API or CLI. Jenkins fails to redact encrypted values of secrets stored in the agent configuration, exposing them to users with only Agent/Extended Read or View/Read permissions. Attackers can exploit this flaw to retrieve sensitive information, such as API keys, passwords, or other secrets, without requiring elevated privileges. Patched versions, 2.500 and LTS 2.492.2, address this by ensuring encrypted values are properly redacted for users without View/Configure permissions.

DailyCVE Form:

Platform: Jenkins
Version: < 2.492.2, >= 2.493, < 2.500
Vulnerability: Information Disclosure
Severity: Moderate
Date: Mar 6, 2025

(End of form)

What Undercode Say:

Exploitation:

  1. Exploit Command: Use the Jenkins REST API to access config.xml: 
    curl -u username:password http://jenkins-server/view/view-name/config.xml
  2. Exploit Impact: Retrieve encrypted secrets stored in the configuration file.
  3. Exploit URL: Accessible via Jenkins REST API endpoints.

Protection:

  1. Update Jenkins: Upgrade to patched versions 2.500 or LTS 2.492.2. 
    sudo apt-get update && sudo apt-get install jenkins
  2. Restrict Permissions: Limit Agent/Extended Read and View/Read permissions to trusted users.
  3. Audit Logs: Monitor REST API and CLI access logs for suspicious activity.
  4. Secret Management: Use external secret management tools like HashiCorp Vault.

Analytics:

  1. Affected Versions: Jenkins < 2.492.2, >= 2.493, < 2.500.

2. Severity Score: CVSS 5.4 (Moderate).

3. Patch Release Date: March 6, 2025.

4. References:

Code Snippets:

1. Check Jenkins Version:

java -jar jenkins.war --version

2. Patch Jenkins:

wget http://updates.jenkins-ci.org/download/war/2.500/jenkins.war

3. Disable REST API Access:

Modify Jenkins configuration to restrict API access:

<useSecurity>true</useSecurity>
<authorizationStrategy>
<permission>...</permission>
</authorizationStrategy>

Additional Resources:

References:

Reported By: https://github.com/advisories/GHSA-rfh6-9r2q-98vf
Extra Source Hub:
Undercode

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Scroll to Top