From 5ab12d05b51b5d72f24944afe5f206c980db9f5e Mon Sep 17 00:00:00 2001
From: somiljain2006 <somil16022006@gmail.com>
Date: Thu, 9 Apr 2026 19:50:55 +0530
Subject: [PATCH 1/2] Add SECURITY-1446 advisory link to secrets documentation

---
 docs/features/secrets.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/features/secrets.adoc b/docs/features/secrets.adoc
index f1ead155ab..cc05a5873c 100644
--- a/docs/features/secrets.adoc
+++ b/docs/features/secrets.adoc
@@ -152,7 +152,7 @@ ${trim:${readFile:/secret/passphrase.txt}}
 
 === Security and compatibility considerations
 
-// TODO(oleg_nenashev): Add a link to the advisory once ready
+For more details, see the link:https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1446[Jenkins Security Advisory for SECURITY-1446 (CVE-2019-10362)].
 
 Jenkins configurations might include property definitions,
 e.g. for Token Macro resolution in Mail Ext Plugin.

From 2b199cb873ea634e9f4d34b387b3486da0dab305 Mon Sep 17 00:00:00 2001
From: somiljain2006 <somil16022006@gmail.com>
Date: Thu, 9 Apr 2026 20:59:38 +0530
Subject: [PATCH 2/2] Removal of whole section

---
 docs/features/secrets.adoc | 23 -----------------------
 1 file changed, 23 deletions(-)

diff --git a/docs/features/secrets.adoc b/docs/features/secrets.adoc
index cc05a5873c..2aa53fac62 100644
--- a/docs/features/secrets.adoc
+++ b/docs/features/secrets.adoc
@@ -150,29 +150,6 @@ Example:
 ${trim:${readFile:/secret/passphrase.txt}}
 ```
 
-=== Security and compatibility considerations
-
-For more details, see the link:https://www.jenkins.io/security/advisory/2019-07-31/#SECURITY-1446[Jenkins Security Advisory for SECURITY-1446 (CVE-2019-10362)].
-
-Jenkins configurations might include property definitions,
-e.g. for Token Macro resolution in Mail Ext Plugin.
-Such properties are not supposed to be resolved when importing configurations,
-but the JCasC plugin has no way to determine which variables should be resolved when reading the configurations.
-
-In some cases non-admin users can contribute to JCasC exports if they have some permissions
-(e.g. agent/view configuration or credentials management),
-and they could potentially inject variable expressions in plain text fields like descriptions
-and then see the resolved secrets in Jenkins Web UI if the Jenkins admin exports and imports the configuration without checking contents.
-It led to a security vulnerability which was addressed in JCasC `1.25` (SECURITY-1446).
-
-- When reading configuration YAMLs, JCasC plugin will try to resolve
-  **all** variables having the `${VARNAME}` format.
-- Starting from JCasC `1.25`, JCasC export escapes the internal variable expressions,
-  e.g. as `^${VARNAME}`, so newly exported and then imported configurations are
-  are not subject for this risk
-- For previously exported configurations, Jenkins admins are expected to manually
-  resolve the issues by putting the escape symbol `^` in front of variables which should not be resolved
-
 === Secret sources
 
 In JCasC there is a link:https://jenkins.io/doc/developer/extensions/configuration-as-code/#secretsource[SecretSource extension point] which allows resolving variables passed to JCasC.