CVE-2025-67637

MEDIUM4.3EPSS 0.08%

Jenkins's build authorization token is stored and displayed in plain text

Published: 12/10/2025Modified: 2/4/2026

Description

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Affected packages (2)

Bitnami/jenkinsfrom 0, < 2.528.3, >= 2.529.0, < 2.541.0
Maven/org.jenkins-ci.main:jenkins-core>= 2.529, < 2.541

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-67637
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/jenkinsci/jenkins/commit/4710d65339251aaf1d1599f19545db99be24d981
WEBhttps://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783