Description
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI, allowing attackers with View/Read permission to view encrypted values of secrets.
Remediation
References
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-1686)
Jetty Improper Input Validation Vulnerability (CVE-2025-11143)
WordPress Plugin Apptivo eCommerce Multiple Cross-Site Scripting Vulnerabilities (1.1.5)
WordPress Plugin Instagram Feed Unspecified Vulnerability (1.11.3)