Listen to this Post
How the CVE Works
CVE-2025-27622 affects Jenkins 2.499 and earlier, including LTS 2.492.1 and earlier. The vulnerability occurs because Jenkins fails to redact encrypted secrets when accessing `config.xml` files of agents via REST API or CLI. Attackers with Agent/Extended Read permission can exploit this flaw to retrieve sensitive encrypted secrets, leading to potential unauthorized access or further system compromise. The issue stems from improper access control in the agent configuration data handling, exposing secrets that should remain hidden.
DailyCVE Form
Platform: Jenkins
Version: ≤ 2.499 / LTS ≤ 2.492.1
Vulnerability: Sensitive Data Exposure
Severity: Critical
Date: 06/23/2025
Prediction: Patch expected by 07/15/2025
What Undercode Say
curl -X GET "http://<JENKINS_URL>/computer/<AGENT_NAME>/config.xml" grep -i "encrypted" config.xml
How Exploit
1. Gain Agent/Extended Read permissions.
2. Query agent `config.xml` via REST/CLI.
3. Extract encrypted secrets from the file.
Protection from this CVE
- Upgrade to patched version post-release.
- Restrict Agent/Extended Read permissions.
- Monitor unauthorized API/config access.
Impact
- Unauthorized secret disclosure.
- Privilege escalation risks.
- Compromise of linked systems.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
