Description
Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier, which fails to redact encrypted secret values when displaying historical job and agent configurations. Users granted Extended Read permission can view these ciphertexts, exposing sensitive information that is otherwise protected. Although only the encrypted form is leaked, the availability of numerous ciphertexts can aid an attacker in compromising the encryption scheme or correlating secrets across jobs, potentially leading to plaintext disclosure if cryptographic weaknesses are present.

Affected Systems

Jenkins Project’s Job Configuration History Plugin, specifically releases up to and including 1356.ve360da_6c523a_. Any instance that uses this plugin version or older will be affected; specific downstream impacts depend on the plugin’s use in the organization’s CI/CD pipelines.

Risk and Exploitability

The vulnerability can be exploited by a user who has Extended Read permissions, typically an internal role with broad read access. There is no known public exploit, and the EPSS score is not available, but the risk is considered significant due to the sensitive data exposed. The plugin’s configuration history page must be accessed, which is a low‑complexity attack path for an authorized user, implying that insider threats or privilege overreach pose the main risk.

Generated by OpenCVE AI on June 24, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Jenkins Job Configuration History Plugin that implements proper redaction of secret values.
  • Restrict or revoke the Extended Read permission for users who do not need it, ensuring that only trusted actors can view configuration histories.
  • Disable or remove the Job Configuration History Plugin if the feature is not required, thereby eliminating the exposure vector.
  • If an immediate upgrade is not possible, consider temporarily disabling the plugin until a patched version is available.

Generated by OpenCVE AI on June 24, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Information Disclosure of Encrypted Secrets in Jenkins Job Configuration History Plugin
Weaknesses CWE-200
CWE-522

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:12:42.211Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57287

cve-icon Vulnrichment

Updated: 2026-06-24T14:12:37.072Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:15:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-312

    Cleartext Storage of Sensitive Information

  • CWE-522

    Insufficiently Protected Credentials