Jenkins is missing a permission check on password fields
Moderate severity GitHub Reviewed Published Dec 10, 2025 to the GitHub Advisory Database • Updated Dec 10, 2025
Package
org.jenkins-ci.main:jenkins-core (Maven)
Affected versions
>= 2.529, < 2.541
< 2.528.3
Patched versions
2.541
2.528.3
Description
Published by the National Vulnerability DatabaseDec 10, 2025
Published to the GitHub Advisory Database Dec 10, 2025
Reviewed Dec 10, 2025
Last updated Dec 10, 2025
A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.
References