Jenkins Missing Permission Check Vulnerability CVE-2025-XXXX (Moderate)

Listen to this Post

The CVE-2025-XXXX vulnerability in Jenkins stems from an authorization flaw within the user interface’s sidepanel component. A specific view, designed to be accessible to users who lack the Overall/Read system permission, incorrectly renders a sidepanel. This sidepanel contains an executors widget that dynamically fetches and displays the names of all connected build agents. The core issue is that the application logic fails to perform a necessary permission check before populating this widget with sensitive data. Consequently, an attacker with minimal user-level access can navigate to this intentionally permissive page. By viewing the page source or intercepting the network traffic generated by the widget, the attacker can enumerate the names of every agent configured within the Jenkins instance, information that should be restricted.
Platform: Jenkins
Version: <2.516.3, 2.517-2.527
Vulnerability: Info Disclosure
Severity: Moderate

date: 2025-09-17

Prediction: Patch Available

What Undercode Say:

`curl -s http://jenkins-host/user/attacker/ | grep -o ‘agent-name-[^”]’`

` Agent names exposed in UI response`

How Exploit:

Access user profile page.

Inspect page source.

Extract agent names.

Protection from this CVE

Upgrade to 2.516.3/2.528.

Impact:

Agent Name Disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top