CVE-2022-25187: 
Java vulnerability analysis and mitigation

Jenkins Support Core Plugin version 2.79 and earlier contains a vulnerability (CVE-2022-25187) where sensitive information in the support bundle is not properly redacted. The vulnerability was discovered and disclosed on February 15, 2022, affecting the Support Core Plugin component of Jenkins (Jenkins Advisory, NVD).

The vulnerability is classified as a sensitive information exposure issue (CWE-212) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows unauthorized access to sensitive information within the support bundle. Anyone with access to the support bundle can view sensitive information that should have been redacted, potentially exposing confidential system data (Jenkins Advisory).

The issue has been fixed in Support Core Plugin version 2.79.1. The update adds a list of keywords whose associated values will be redacted, stored in the security-stop-words.txt file located in $JENKINS_HOME/support. Administrators can amend this list to add additional keywords for values that should be redacted (Jenkins Advisory).