Multiple vulnerabilities disclosed in Jenkins

Summary

Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory discusses multiple vulnerabilities disclosed in Jenkins.

Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and low vulnerabilities.

Vulnerability Details

Information Disclosure

CVE-2025-27622

CVSSv3.1

NA

Severity

Medium

Vulnerable Versions

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier do not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets

Patch Link

Link

Information Disclosure

CVE-2025-27623

CVSSv3.1

NA

Severity

Medium

Vulnerable Versions

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier do not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.

Patch Link

Link

Information Disclosure

CVE-2025-27624

CVSSv3.1

NA

Severity

Medium

Vulnerable Versions

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier

Description

A Cross-Site Request Forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets)

Patch Link

Link

Information Disclosure

CVE-2025-27625

CVSSv3.1

NA

Severity

Medium

Vulnerable Versions

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier

Description

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (`\`) characters are considered safe, allowing attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site because browsers interpret these characters as part of scheme-relative redirects.

Patch Link

Link

Recommendation

Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.

Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

Monitoring and logging malicious activities across the network: Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

To mitigate risks associated with End-of-Life (EOL) products: Organizations should proactively identify and assess their criticality, then plan for timely upgrades or replacements.

Conclusion

Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) in software development. It allows developers to automate the building, testing, and deployment of applications, making it a critical component of DevOps workflows. Patching vulnerabilities in Jenkins is crucial, regardless of their severity, because attackers can exploit even low or medium-severity flaws to gain initial access, escalate privileges, or disrupt CI/CD pipelines. Since Jenkins often manages sensitive credentials, source code, and deployment processes, unpatched vulnerabilities can lead to data breaches, supply chain attacks, or unauthorized code execution, posing significant risks to an organization's software integrity and security.