Jenkins Security Advisory 2013-01-04 Description Vulnerability: Allows an attacker with HTTP access to retrieve the master cryptographic key of Jenkins. Impact: The key can be used to encrypt sensitive data, authenticate agents, and impersonate users in REST API calls. Attack Vector: Attackers can mount remote code execution or impersonate users. Mitigating Factors Applicable to Jenkins instances with agents and anonymous read access. Users can regenerate API tokens to prevent impersonation. Severity Rating: Critical Reason: Anonymous users can exploit the vulnerability for remote code execution. Fix Main Line Users: Upgrade to Jenkins 1.498. LTS Users: Upgrade to 1.480.2. Implications of Upgrade API tokens will change; update scripts and external programs accordingly. Agents started via Java Web Start may fail to reconnect; overwrite *jnlp files. Run the re-keying process via "Manage Jenkins" to update the encryption key. Other Resources Corresponding security advisory on CloudBees