CVE-2025-27623: 
Java vulnerability analysis and mitigation

CVE-2025-27623 is a security vulnerability discovered in Jenkins, affecting versions 2.499 and earlier, as well as LTS 2.492.1 and earlier. The vulnerability was disclosed on March 5, 2025, and relates to the exposure of encrypted secrets stored in view configurations. This issue was identified as SECURITY-3496 in Jenkins' security tracking system (Jenkins Advisory).

The vulnerability is classified with a Medium severity rating and has been assigned a CVSS 3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue stems from Jenkins' failure to redact encrypted values of secrets when accessing config.xml of views via REST API or CLI. The vulnerability is categorized under CWE-312 (Cleartext Storage of Sensitive Information) (NVD, Red Hat).

The vulnerability allows attackers with View/Read permission to access encrypted values of secrets stored in view configurations. This exposure of sensitive information could potentially lead to unauthorized access to protected resources or systems (Jenkins Advisory).

The vulnerability has been patched in Jenkins version 2.500 and LTS version 2.492.2. The fix implements proper redaction of encrypted values of secrets stored in view config.xml when accessed via REST API or CLI for users lacking View/Configure permission. Users are strongly advised to upgrade to these versions or later (Jenkins Advisory).