Skip to main content

Job Configuration History CVE-2026-57287

| EUVDEUVD-2026-38767 MEDIUM
Cleartext Storage of Sensitive Information (CWE-312)
2026-06-24 jenkins GHSA-8qr4-27mh-hqfr
4.3
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Extended Read is a low-privilege but non-default Jenkins role; encrypted (not plaintext) secret exposure justifies C:L; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:22 vuln.today
CVSS changed
Jun 24, 2026 - 15:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted.

AnalysisAI

Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Jenkins account with Extended Read permission
Delivery
Navigate to Job Configuration History view
Exploit
Open historical snapshot of credential-bearing job or agent
Execution
Extract unredacted encrypted secret values
Impact
Attempt offline decryption or credential reuse

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Jenkins account with Extended Read permission explicitly granted by an administrator - this is not a default Jenkins role and must be deliberately assigned. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects network-accessible exploitation at low complexity, but gated behind the requirement for Extended Read permission - a non-default Jenkins role that must be explicitly granted by an administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Jenkins user with Extended Read permission navigates to the Job Configuration History view for a job or agent whose configuration references pipeline credentials or other secrets. The plugin renders historical configuration snapshots without redacting encrypted values, displaying them where Jenkins would normally show masked placeholders. …
Remediation Upgrade the Jenkins Job Configuration History Plugin to a version beyond 1356.ve360da_6c523a_ per the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3742. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy