Impact
The Jenkins Job Configuration History Plugin versions up to 1356.ve360da_6c523a_ do not redact encrypted secret values when displaying historical job and agent configurations. This flaw permits a user with Extended Read permission to view ciphertext that should be hidden, resulting in the exposure of encrypted secrets. The weakness is a data privacy and cryptographic unauthenticated disclosure flaw identified as CWE‑312.
Affected Systems
Jenkins Project’s Job Configuration History Plugin version 1356.ve360da_6c523a_ and all earlier releases are vulnerable. Any installation of this plugin, regardless of Jenkins core version, may expose encrypted secret values if the plugin’s history feature is accessed by a user with the appropriate permissions.
Risk and Exploitability
The vulnerability requires only Extended Read access, a permission that can be granted by a project administrator. The CVSS score of 4.3 indicates a medium severity impact, and the vulnerability is not listed in CISA KEV. EPSS data is not available. The likely attack vector is an internal user or a compromised account that leverages the plugin’s history page to obtain ciphertexts; based on the description, it is inferred that an attacker could subsequently amass multiple ciphertext samples that might aid a cryptanalysis effort. This risk is significant for organizations that store sensitive tokens and credentials in Jenkins jobs and restrict visibility to a narrow set of users.
OpenCVE Enrichment