CVE-2025-27622
📋 TL;DR
This vulnerability in Jenkins allows attackers with Agent/Extended Read permission to view encrypted secrets stored in agent configuration files via REST API or CLI access. It affects Jenkins 2.499 and earlier, including LTS 2.492.1 and earlier versions. The exposure occurs because encrypted values aren't properly redacted when accessing agent config.xml files.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers with Agent/Extended Read permission could exfiltrate all encrypted secrets stored in agent configurations, potentially compromising credentials, API keys, and other sensitive data used by Jenkins agents.
Likely Case
Authorized users with Agent/Extended Read permission could inadvertently or intentionally view sensitive encrypted values that should remain hidden, leading to credential exposure and potential lateral movement.
If Mitigated
With proper permission controls limiting Agent/Extended Read access to trusted administrators only, the impact is reduced to authorized users who shouldn't see encrypted values but can't escalate further.
🎯 Exploit Status
Exploitation requires authenticated access with Agent/Extended Read permission. The vulnerability is straightforward to exploit once an attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.500, Jenkins LTS 2.492.2
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.500 or later. 3. For LTS users, upgrade to Jenkins LTS 2.492.2 or later. 4. Restart Jenkins service. 5. Verify the fix by checking that encrypted values are now properly redacted in agent config.xml files.
🔧 Temporary Workarounds
Restrict Agent/Extended Read Permissions
allTemporarily mitigate by removing Agent/Extended Read permission from all users except absolutely necessary administrators.
Navigate to Jenkins > Manage Jenkins > Configure Global Security > Matrix-based security or Role-based strategy
Remove Agent/Extended Read permission from non-admin users
🧯 If You Can't Patch
- Immediately review and restrict Agent/Extended Read permissions to only essential administrators
- Rotate all secrets stored in Jenkins agent configurations after implementing permission restrictions
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins. If version is 2.499 or earlier (or LTS 2.492.1 or earlier), the system is vulnerable.Check Version:
java -jar jenkins.war --version or check via Jenkins web interfaceVerify Fix Applied:
After patching, verify version is 2.500 or later (or LTS 2.492.2 or later). Test by accessing agent config.xml via REST API with a user having Agent/Extended Read permission - encrypted values should now be redacted.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /computer/[agent]/config.xml endpoints
- Unusual access patterns to agent configuration files by users with Agent/Extended Read permission
Network Indicators:
- Increased API calls to agent configuration endpoints
- Traffic patterns suggesting enumeration of agent configurations
SIEM Query:
source="jenkins" AND (uri="/computer/*/config.xml" OR uri="/api/json?tree=computer[*]" OR uri="/script")