CVE-2025-67636 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-67636

CVE-2025-67636

December 10, 2025

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.

Affected Packages

https://github.com/jenkinsci/jenkins.git (GITHUB):

Affected version(s) >=jenkins-1.409.1 <jenkins-2.528.3

Fix Suggestion:

Update to version jenkins-2.528.3

https://github.com/jenkinsci/jenkins.git (GITHUB):

Affected version(s) >=jenkins-2.529 <jenkins-2.541

Fix Suggestion:

Update to version jenkins-2.541

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=1.396 <2.528.3

Fix Suggestion:

Update to version 2.528.3

org.jenkins-ci.main:jenkins-core (JAVA):

Affected version(s) >=2.529 <2.541

Fix Suggestion:

Update to version 2.541

Related Resources (4)

https://github.com/jenkinsci/jenkins

https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1809

https://nvd.nist.gov/vuln/detail/CVE-2025-67636

https://github.com/jenkinsci/jenkins/commit/3ee7380c5e167fab865f58b52a81ef01c24b9eb2

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Missing Authorization

CWE-862

EPSS

Base Score:

0.25

Products

Solutions

Resources

Company

Compare

Developer Tools