CVE-2025-67636 – This vulnerability in Jenkins allows attackers ... (How to Fix)

Q: What is the severity of CVE-2025-67636?

CVE-2025-67636 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Jenkins allows attackers with View/Read permission to view encrypted password values in views. It affects Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier. Users with limited permissions can access sensitive credential information they shouldn't be able to see.

📋 TL;DR

This vulnerability in Jenkins allows attackers with View/Read permission to view encrypted password values in views. It affects Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier. Users with limited permissions can access sensitive credential information they shouldn't be able to see.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Jenkins installations with the vulnerable versions, regardless of configuration.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with View/Read permission could extract encrypted passwords, potentially leading to credential compromise and lateral movement within the Jenkins environment.

🟠

Likely Case

Users with View/Read permission can access encrypted password values in views, exposing sensitive credential information that should be restricted to users with higher privileges.

🟢

If Mitigated

With proper access controls and monitoring, the impact is limited to information disclosure of encrypted credentials rather than plaintext passwords.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires View/Read permission, making it accessible to many users but not completely unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.541, LTS 2.528.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1809

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.541 or LTS 2.528.3. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict View/Read Permissions

all

Temporarily restrict View/Read permissions to trusted users only until patching can be completed.

🧯 If You Can't Patch

Review and audit all users with View/Read permissions, removing unnecessary access
Implement additional monitoring for credential access attempts and review audit logs regularly

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify Jenkins version is 2.541 or higher, or LTS 2.528.3 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to views containing credentials
Multiple credential view requests from users with only View/Read permissions

Network Indicators:

Increased requests to view endpoints from users with limited permissions

SIEM Query:

source="jenkins" AND (event="view_access" OR event="credential_access") AND user_permission="view_read"

📊 Metadata

CVE ID: CVE-2025-67636

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.21% exploit probability (43.8th percentile)

Published: December 10, 2025

Last Updated: December 17, 2025

🔗 References

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1809 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67636, you might also want to check these: