Description

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Remediation

References

CVE-2025-67638

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8228)

ATutor Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-6528)

WordPress Improper Input Validation Vulnerability (CVE-2020-28037)

Internet Information Services Other Vulnerability (CVE-2002-0072)

WordPress Plugin Art-Picture-Gallery Arbitrary File Upload (1.2.9)

Severity

Medium

Classification

CVE-2025-67638 CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities