CVE-2025-27622 Overview
CVE-2025-27622 is an information disclosure vulnerability in Jenkins that allows attackers with Agent/Extended Read permission to view encrypted values of secrets. The vulnerability exists because Jenkins 2.499 and earlier, as well as LTS 2.492.1 and earlier, does not properly redact encrypted values of secrets when accessing config.xml of agents via the REST API or CLI.
Critical Impact
Attackers with limited Agent/Extended Read permissions can extract encrypted secret values from agent configurations, potentially compromising sensitive credentials and tokens used in CI/CD pipelines.
Affected Products
- Jenkins 2.499 and earlier (weekly releases)
- Jenkins LTS 2.492.1 and earlier
- All Jenkins installations with agents configured using secrets
Discovery Timeline
- 2025-03-05 - CVE-2025-27622 published to NVD
- 2025-06-24 - Last updated in NVD database
Technical Details for CVE-2025-27622
Vulnerability Analysis
This vulnerability is classified as CWE-312 (Cleartext Storage of Sensitive Information). When users with Agent/Extended Read permission access the config.xml file of Jenkins agents through the REST API or CLI interface, encrypted secret values are not properly redacted. While the secrets remain encrypted, exposing these encrypted values provides attackers with material that could potentially be decrypted offline or used in credential theft attacks.
The vulnerability requires authenticated access with specific permissions, limiting the attack surface to insider threats or scenarios where an attacker has already gained limited access to the Jenkins instance. However, in environments with multiple users and role-based access controls, this represents a significant breach of the principle of least privilege.
Root Cause
The root cause lies in improper handling of sensitive data in the agent configuration export functionality. The Jenkins codebase fails to apply the same redaction logic used elsewhere in the application when serializing agent config.xml files for API and CLI access. This oversight allows the encrypted representation of secrets to be exposed to users who should only have read access to agent configurations, not the underlying credential data.
Attack Vector
The attack vector is network-based and requires low privilege (Agent/Extended Read permission). An authenticated attacker can exploit this vulnerability by:
- Authenticating to Jenkins with an account that has Agent/Extended Read permission
- Making REST API calls to retrieve agent configuration files (e.g., /computer/[agent-name]/config.xml)
- Extracting encrypted secret values from the returned XML configuration
- Potentially using the encrypted values in further attacks or offline decryption attempts
The vulnerability does not require user interaction and can be exploited programmatically against multiple agents to harvest credential data at scale.
Detection Methods for CVE-2025-27622
Indicators of Compromise
- Unusual or frequent REST API requests to /computer/*/config.xml endpoints
- High volume of agent configuration file requests from a single user account
- API access to agent configurations from unexpected IP addresses or user accounts
- Audit log entries showing bulk retrieval of agent configuration data
Detection Strategies
- Monitor Jenkins access logs for patterns of config.xml retrieval across multiple agents
- Implement alerting on API endpoints accessing agent configurations outside normal automation workflows
- Review audit logs for accounts with Agent/Extended Read permissions accessing configuration endpoints
- Deploy network monitoring to detect unusual patterns of Jenkins API utilization
Monitoring Recommendations
- Enable and centralize Jenkins audit logging to capture all API access events
- Configure SIEM rules to alert on bulk agent configuration retrieval attempts
- Periodically review which accounts have Agent/Extended Read permissions
- Monitor for any attempts to use extracted credential data against other systems
How to Mitigate CVE-2025-27622
Immediate Actions Required
- Upgrade Jenkins to version 2.500 or later (weekly) or LTS 2.492.2 or later
- Audit all accounts with Agent/Extended Read permissions and reduce access where possible
- Review agent configurations for sensitive secrets that may have been exposed
- Rotate any credentials or secrets stored in agent configurations as a precaution
Patch Information
Jenkins has released security patches addressing this vulnerability. According to the Jenkins Security Advisory #SECURITY-3495, users should upgrade to:
- Jenkins weekly: Version 2.500 or later
- Jenkins LTS: Version 2.492.2 or later
The patch ensures that encrypted secret values are properly redacted when agent config.xml files are accessed via REST API or CLI, consistent with the security behavior in other parts of the application.
Workarounds
- Restrict Agent/Extended Read permissions to only essential personnel until patching is complete
- Use Jenkins' built-in credentials plugin with strict access controls instead of embedding secrets in agent configurations
- Implement network segmentation to limit API access to the Jenkins controller
- Consider disabling CLI access if not required, reducing the attack surface
- Monitor and audit all access to agent configuration endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
