What is the severity of CVE-2025-27622?

CVE-2025-27622 has a high severity rating due to its potential for unauthorized access to sensitive encrypted values.

Who is affected by CVE-2025-27622?

CVE-2025-27622 affects Jenkins versions 2.499 and earlier, as well as LTS 2.492.1 and earlier.

How do I fix CVE-2025-27622?

To fix CVE-2025-27622, upgrade Jenkins to version 2.500 or later, or LTS 2.493 or later.

What type of permissions allow exploitation of CVE-2025-27622?

Attackers with Agent or Extended Read permission can exploit CVE-2025-27622 to view encrypted values of secrets.

What is the main issue highlighted by CVE-2025-27622?

CVE-2025-27622 highlights that Jenkins does not redact encrypted values of secrets in the config.xml file accessible via REST API or CLI.

Vulnerability/
CVE-2025-27622

medium

4.3

CWE

312

EPSS

0.043%

5/3/2025

6/3/2025

CVE-2025-27622

First published: Wed Mar 05 2025(Updated: )

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.

Credit: jenkinsci-cert@googlegroups.com

Affected Software	Affected Version	How to fix
Jenkins LTS	<2.499
Jenkins	<2.492.1
maven/org.jenkins-ci.main:jenkins-core	<2.492.2	2.492.2
maven/org.jenkins-ci.main:jenkins-core	>=2.493<2.500	2.500

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-27622?
CVE-2025-27622 has a high severity rating due to its potential for unauthorized access to sensitive encrypted values.
Who is affected by CVE-2025-27622?
CVE-2025-27622 affects Jenkins versions 2.499 and earlier, as well as LTS 2.492.1 and earlier.
How do I fix CVE-2025-27622?
To fix CVE-2025-27622, upgrade Jenkins to version 2.500 or later, or LTS 2.493 or later.
What type of permissions allow exploitation of CVE-2025-27622?
Attackers with Agent or Extended Read permission can exploit CVE-2025-27622 to view encrypted values of secrets.
What is the main issue highlighted by CVE-2025-27622?
CVE-2025-27622 highlights that Jenkins does not redact encrypted values of secrets in the config.xml file accessible via REST API or CLI.

collector/mitre-cve
source/MITRE
agent/references
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
agent/author
agent/trending
collector/epss-latest
source/FIRST
agent/source
agent/epss
collector/nvd-api
source/NVD
agent/last-modified-date
agent/weakness
agent/severity
agent/event
agent/tags
collector/nvd-cve
collector/github-advisory-latest
source/GitHub
alias/GHSA-p34j-r3ch-c985
alias/CVE-2025-27622
vendor/jenkins
canonical/jenkins lts
canonical/jenkins
package-manager/maven

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.