CVE-2025-67638

Published Dec 10, 2025

Last updated 3 months ago

CVSS medium 4.3

Overview

Description: Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Source: jenkinsci-cert@googlegroups.com
NVD status: Analyzed
Products: jenkins

Risk scores

CVSS 3.1

Type: Secondary
Base score: 4.3
Impact score: 1.4
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-312

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
            "matchCriteriaId": "A276E9FE-7CB8-4B6B-A399-14C0E7B10BC4",
            "versionEndExcluding": "2.528.3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "F2388D03-0340-4C73-97B7-FB06AB6E972B",
            "versionEndExcluding": "2.541",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References