Missing Permission Check in Jenkins Affects Agent Configuration Access
CVE-2025-31720

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 2 April 2025

Summary

A vulnerability in Jenkins allows attackers who possess the Computer/Create permission but lack the necessary Computer/Extended Read permission to duplicate an agent. This action grants them unauthorized access to the agent's configuration settings, potentially leading to further security risks. Users must ensure they are running versions of Jenkins that have addressed this issue.

Affected Version(s)

Jenkins 2.492.3

Jenkins 2.492.3 < 2.492.*

Jenkins 2.504

References

https://www.jenkins.io/security/advisory/2025-04-02/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Apr 1, 2025