CVE-2014-3680: Jenkins Exposure of Sensitive Information to an Unauthorized Actor vulnerability

May 17, 2022 (updated April 14, 2025)

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

References

access.redhat.com/errata/RHSA-2016:0070
access.redhat.com/security/cve/CVE-2014-3680
bugzilla.redhat.com/show_bug.cgi?id=1148645
github.com/advisories/GHSA-8x8p-mfwv-9fjw
nvd.nist.gov/vuln/detail/CVE-2014-3680
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01

Code Behaviors & Features

Detect and mitigate CVE-2014-3680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →