Summary: Jenkins has issued a security advisory on March 5, 2025, regarding multiple vulnerabilities affecting versions 2.499 and earlier, and LTS 2.492.1 and earlier. Notably, these vulnerabilities include the exposure of encrypted secrets and a cross-site request forgery (CSRF) flaw, necessitating immediate updates to mitigate risks. Users are strongly encouraged to upgrade to Jenkins versions 2.500 and LTS 2.492.2 to ensure their systems’ security.
Affected: Jenkins automation server
Keypoints :
- CVEs include CVE-2025-27622 and CVE-2025-27623, which expose encrypted secrets to users with specific permissions.
- CVE-2025-27624 represents a CSRF vulnerability that compromises user profile integrity.
- Update to versions 2.500 or LTS 2.492.2 is highly recommended to address these vulnerabilities.
- Details on an open redirect vulnerability (CVE-2025-27625) are also provided, highlighting potential phishing risks.
Source: https://securityonline.info/csrf-and-open-redirect-jenkins-patches-major-vulnerabilities/