Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKG2iZijXv6DD60je8CTXrbyX_iNi3BOiZP43ORPOBm7YoJuww@mail.gmail.com>
Date: Wed, 5 Mar 2025 18:17:07 +0100
From: Kevin Guerroudj <kguerroudj@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.500
* Jenkins LTS 2.492.2


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-03-05/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3495 / CVE-2025-27622
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact
encrypted values of secrets when accessing `config.xml` of agents via REST
API or CLI.

This allows attackers with Agent/Extended Read permission to view encrypted
values of secrets.


SECURITY-3496 / CVE-2025-27623
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact
encrypted values of secrets when accessing `config.xml` of views via REST
API or CLI.

This allows attackers with View/Read permission to view encrypted values of
secrets.


SECURITY-3498 / CVE-2025-27624
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST
requests for the HTTP endpoint toggling collapsed/expanded status of
sidepanel widgets (e.g., Build Queue and Build Executor Status widgets),
resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have users toggle their
collapsed/expanded status of sidepanel widgets.

Additionally, as the API accepts any string as the identifier of the panel
ID to be toggled, attacker-controlled content can be stored in the victim's
user profile in Jenkins.


SECURITY-3501 / CVE-2025-27625
Various features in Jenkins redirect users to partially user-controlled
URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins
limits redirections to safe URLs (neither absolute nor
scheme-relative/network-path reference).

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting
with backslash (`\`) characters are considered safe.

This allows attackers to perform phishing attacks by having users go to a
Jenkins URL that will forward them to a different site, because browsers
interpret these characters as part of scheme-relative redirects.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.