Security Flaw in Jenkins Affects Agent Configuration Access
CVE-2025-31721

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 2 April 2025

Summary

A missing permission check in earlier versions of Jenkins allows users with specific permissions to exploit the system. Attackers with 'Computer/Create' permissions can copy an agent without having 'Computer/Configure' permissions, thereby gaining unauthorized access to encrypted secrets stored in the agent’s configuration. This vulnerability emphasizes the importance of strict access control measures to protect sensitive information within Jenkins environments.

Affected Version(s)

Jenkins 2.492.3

Jenkins 2.492.3 < 2.492.*

Jenkins 2.504

References

https://www.jenkins.io/security/advisory/2025-04-02/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Apr 1, 2025