SB2025030623 - Multiple vulnerabilities in Jenkins and Jenkins LTS
Published: March 6, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2025-27622)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. A remote user can view encrypted values of secrets.
2) Information disclosure (CVE-ID: CVE-2025-27623)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. A remote user can view encrypted values of secrets.
3) Cross-site request forgery (CVE-ID: CVE-2025-27624)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
4) Open redirect (CVE-ID: CVE-2025-27625)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
Remediation
Install update from vendor's website.