Multiple Jenkins Vulnerability Let Attackers Expose Secrets
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Jenkins, the widely adopted open-source automation server central to CI/CD pipelines, has disclosed four critical security vulnerabilities enabling unauthorized secret disclosure, cross-site request forgery (CSRF), and open redirect attacks.
These flaws, patched in versions 2.500 (weekly) and 2.492.2 (LTS), affect earlier releases, including Jenkins 2.499 and LTS 2.492.1. Potential impacts range from credential theft to phishing campaigns.
Two vulnerabilities, CVE-2025-27622 and CVE-2025-27623, originate from improper redaction of encrypted secrets in agent and view configurations.
Attackers with Agent/Extended Read or View/Read permissions could exploit REST API or CLI endpoints to retrieve config.xml files containing unredacted secrets.
This bypasses Jenkins’ security controls to mask sensitive data, exposing credentials like API keys, database passwords, and cryptographic tokens.
The root cause is insufficient access validation when processing config.xml requests. While Jenkins redacts secrets for users lacking Agent/Configure or View/Configure permissions, earlier versions failed to enforce this during API/CLI interactions.
CloudBees engineers linked these flaws to SECURITY-266, a 2016 vulnerability involving similar exposure vectors.
CSRF Vulnerability in Sidepanel Widgets (CVE-2025-27624)
CVE-2025-27624 introduces a CSRF risk in Jenkins’ handling of sidepanel widget states (e.g., Build Queue).
Exploiting this, attackers could inject arbitrary strings into victims’ user profiles, creating persistence mechanisms for stored XSS or data exfiltration.
The vulnerability underscores flawed endpoint design—Jenkins historically permitted GET methods for widget state changes, neglecting CSRF token validation. The patch enforces POST requests, aligning with REST security best practices.
Open Redirect via Backslash Manipulation (CVE-2025-27625)
CVE-2025-27625 enables open redirects by abusing Jenkins’ lax URL validation. Attackers could append backslashes (\) to URLs, tricking browsers into interpreting them as scheme-relative paths.
This facilitates phishing by redirecting users to malicious domains under the guise of Jenkins internal links.
The flaw originated from incomplete safe URL checks, which previously allowed backslash-prefixed redirects. Post-patch, Jenkins 2.500/LTS 2.492.2 rejects such URLs, mitigating phishing risks.
CloudBees credited Antoine Ruffino, Daniel Beck, and XBOW for discovering these issues, reaffirming the critical role of coordinated disclosure in maintaining CI/CD ecosystem security.
Mitigation and Remediation
Administrators must immediately upgrade to Jenkins 2.500 or LTS 2.492.2. For environments requiring delayed patching:
These vulnerabilities collectively highlight the perennial challenge of securing automation tools with extensive API surfaces.
As Jenkins remains a high-value target for supply chain attacks, proactive patch management and least-privilege access controls are imperative.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Multiple Jenkins Vulnerability Let Attackers Expose Secrets
Author: KaaviyaJenkins, the widely adopted open-source automation server central to CI/CD pipelines, has disclosed four critical security vulnerabilities enabling unauthorized secret disclosure, cross-site request forgery (CSRF), and open redirect attacks.
These flaws, patched in versions 2.500 (weekly) and 2.492.2 (LTS), affect earlier releases, including Jenkins 2.499 and LTS 2.492.1. Potential impacts range from credential theft to phishing campaigns.
Two vulnerabilities, CVE-2025-27622 and CVE-2025-27623, originate from improper redaction of encrypted secrets in agent and view configurations.
Attackers with Agent/Extended Read or View/Read permissions could exploit REST API or CLI endpoints to retrieve config.xml files containing unredacted secrets.
This bypasses Jenkins’ security controls to mask sensitive data, exposing credentials like API keys, database passwords, and cryptographic tokens.
The root cause is insufficient access validation when processing config.xml requests. While Jenkins redacts secrets for users lacking Agent/Configure or View/Configure permissions, earlier versions failed to enforce this during API/CLI interactions.
CloudBees engineers linked these flaws to SECURITY-266, a 2016 vulnerability involving similar exposure vectors.
CSRF Vulnerability in Sidepanel Widgets (CVE-2025-27624)
CVE-2025-27624 introduces a CSRF risk in Jenkins’ handling of sidepanel widget states (e.g., Build Queue).
Exploiting this, attackers could inject arbitrary strings into victims’ user profiles, creating persistence mechanisms for stored XSS or data exfiltration.
The vulnerability underscores flawed endpoint design—Jenkins historically permitted GET methods for widget state changes, neglecting CSRF token validation. The patch enforces POST requests, aligning with REST security best practices.
Open Redirect via Backslash Manipulation (CVE-2025-27625)
CVE-2025-27625 enables open redirects by abusing Jenkins’ lax URL validation. Attackers could append backslashes (\) to URLs, tricking browsers into interpreting them as scheme-relative paths.
This facilitates phishing by redirecting users to malicious domains under the guise of Jenkins internal links.
The flaw originated from incomplete safe URL checks, which previously allowed backslash-prefixed redirects. Post-patch, Jenkins 2.500/LTS 2.492.2 rejects such URLs, mitigating phishing risks.
CloudBees credited Antoine Ruffino, Daniel Beck, and XBOW for discovering these issues, reaffirming the critical role of coordinated disclosure in maintaining CI/CD ecosystem security.
Mitigation and Remediation
Administrators must immediately upgrade to Jenkins 2.500 or LTS 2.492.2. For environments requiring delayed patching:
- Restrict Agent/Extended Read and View/Read permissions to essential users.
- Implement reverse proxy rules to block URLs containing backslashes.
- Enable CSRF filters and audit user profiles for anomalous entries.
These vulnerabilities collectively highlight the perennial challenge of securing automation tools with extensive API surfaces.
As Jenkins remains a high-value target for supply chain attacks, proactive patch management and least-privilege access controls are imperative.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
