Description
Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Job Configuration History Plugin versions up to 1356.ve360da_6c523a_ do not redact encrypted secret values when displaying historical job and agent configurations. This flaw permits a user with Extended Read permission to view ciphertext that should be hidden, resulting in the exposure of encrypted secrets. The weakness is a data privacy and cryptographic unauthenticated disclosure flaw identified as CWE‑312.

Affected Systems

Jenkins Project’s Job Configuration History Plugin version 1356.ve360da_6c523a_ and all earlier releases are vulnerable. Any installation of this plugin, regardless of Jenkins core version, may expose encrypted secret values if the plugin’s history feature is accessed by a user with the appropriate permissions.

Risk and Exploitability

The vulnerability requires only Extended Read access, a permission that can be granted by a project administrator. The CVSS score of 4.3 indicates a medium severity impact, and the vulnerability is not listed in CISA KEV. EPSS data is not available. The likely attack vector is an internal user or a compromised account that leverages the plugin’s history page to obtain ciphertexts; based on the description, it is inferred that an attacker could subsequently amass multiple ciphertext samples that might aid a cryptanalysis effort. This risk is significant for organizations that store sensitive tokens and credentials in Jenkins jobs and restrict visibility to a narrow set of users.

Generated by OpenCVE AI on June 24, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of the Jenkins Job Configuration History Plugin that implements proper redaction of secret values.
  • Restrict or revoke Extended Read permissions for users who do not require visibility of job or agent configuration history.
  • If an upgrade cannot be performed immediately, consider disabling the plugin or removing the affected history feature to eliminate the data exposure vector.

Generated by OpenCVE AI on June 24, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Job Configuration History Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Job Configuration History Plugin

Wed, 24 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Encrypted Secrets Exposed via Jenkins Job Configuration History Plugin

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Information Disclosure of Encrypted Secrets in Jenkins Job Configuration History Plugin
Weaknesses CWE-200
CWE-522

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Information Disclosure of Encrypted Secrets in Jenkins Job Configuration History Plugin
Weaknesses CWE-200
CWE-522

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted.
References

Subscriptions

Jenkins Project Jenkins Job Configuration History Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:12:42.211Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57287

cve-icon Vulnrichment

Updated: 2026-06-24T14:12:37.072Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:13Z

Weaknesses
  • CWE-312

    Cleartext Storage of Sensitive Information