Listen to this Post
How the CVE Works
CVE-2025-27623 affects Jenkins 2.499 and earlier, including LTS 2.492.1, where encrypted secrets in `config.xml` are not properly redacted when accessed via REST API or CLI. Attackers with View/Read permissions can retrieve these secrets, bypassing encryption protections. The vulnerability stems from insufficient access control checks when handling sensitive configuration data, exposing credentials and other secrets stored in Jenkins views.
DailyCVE Form
Platform: Jenkins
Version: ≤ 2.499 / ≤ 2.492.1 (LTS)
Vulnerability: Sensitive Data Exposure
Severity: Critical
Date: 06/23/2025
Prediction: Patch by 07/15/2025
What Undercode Say
Check Jenkins version jenkins-cli --version Exploit PoC (simulated) curl -X GET "http://<JENKINS_URL>/view/<VIEW_NAME>/config.xml" | grep "encrypted"
How Exploit
Attackers with View/Read permissions query `config.xml` via API/CLI to extract encrypted secrets, then decrypt them offline.
Protection from this CVE
1. Upgrade Jenkins.
2. Restrict View/Read permissions.
3. Audit `config.xml` access logs.
Impact
Exposure of credentials, API keys, and other secrets stored in Jenkins views.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
