Sensitive Data Exposure in Jenkins REST API and CLI

CVE-2025-27622

What is CVE-2025-27622?

CVE-2025-27622 is a vulnerability found in Jenkins, a widely-used automation server for continuous integration and continuous delivery (CI/CD). This particular flaw affects versions 2.499 and earlier, as well as the long-term support release 2.492.1 and earlier. The vulnerability pertains to the Jenkins REST API and CLI, where it fails to adequately redact encrypted values of secrets within the config.xml files of agents. If exploited, this flaw could allow individuals with certain permissions to access sensitive data, posing a significant risk to organizational security.

Technical Details

The vulnerability arises due to Jenkins’s inability to obscure encrypted secrets when retrieved via the REST API or command-line interface (CLI). Attackers possessing Agent or Extended Read permissions can view these unredacted secrets, providing them with potentially sensitive information that could be used for further attacks or unauthorized access to additional systems or data. The lack of redaction means that even encoded values can be revealed, amplifying the threat to impacted environments using Jenkins for automation tasks.

Potential Impact of CVE-2025-27622

1. Data Exposure: The most immediate risk is the exposure of sensitive information, including credentials, tokens, or other critical secrets that could aid an attacker in gaining unauthorized access to systems or services.

2. Unauthorized Access: With the ability to see encrypted secrets, attackers could leverage this information to escalate privileges within an organization, leading to broader systemic vulnerabilities and potential data breaches.

3. Compromised CI/CD Pipelines: As Jenkins is integral to CI/CD processes, this vulnerability could disrupt software development workflows, allowing malicious actors to inject harmful changes into production environments, potentially leading to widespread exploitation.

References