Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Affected Packages

Maven io.jenkins:configuration-as-code

Affected versions: 0 (fixed in 1.25)

Related CVEs

CVE-2019-10362

Key Information

GHSA ID

GHSA-5r6p-p9r6-r326

Published

May 24, 2022 4:51 PM

Last Modified

June 28, 2022 10:38 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins:configuration-as-code

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.