vulnerability

Jenkins Advisory 2025-12-10: CVE-2025-67637: CVE-2025-67638: Build authorization token stored and displayed in plain text

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	Dec 11, 2025	Dec 11, 2025	Mar 18, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

Dec 11, 2025

Added

Dec 11, 2025

Modified

Mar 18, 2026

Description

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Solutions

jenkins-lts-upgrade-2_528_3jenkins-upgrade-2_541

References

CVE-2025-67637
https://attackerkb.com/topics/CVE-2025-67637
CVE-2025-67638
https://attackerkb.com/topics/CVE-2025-67638
CWE-312
URL-https://jenkins.io/security/advisory/2025-12-10/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today