oss-sec mailing list archives

Multiple vulnerabilities in Jenkins plugins

From: Kevin Guerroudj <kguerroudj () cloudbees com>
Date: Wed, 9 Jul 2025 16:14:36 +0200
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Applitools Eyes Plugin 1.16.6
* Credentials Binding Plugin 696.v256688029804
* Git Parameter Plugin 444.vca_b_84d3703c2
* HTML Publisher Plugin 427

Additionally, we announce unresolved security issues in the following
plugins:

* Apica Loadtest Plugin
* Aqua Security Scanner Plugin
* Dead Man's Snitch Plugin
* IBM Cloud DevOps Plugin
* IFTTT Build Notifier Plugin
* Kryptowire Plugin
* Nouvola DiveCloud Plugin
* QMetry Test Management Plugin
* ReadyAPI Functional Testing Plugin
* Sensedia Api Platform tools Plugin
* Statistics Gatherer Plugin
* Testsigma Test Plan run Plugin
* User1st uTester Plugin
* VAddy Plugin
* Warrior Framework Plugin
* Xooa Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-07-09/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3499 / CVE-2025-53650
Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly
mask (i.e., replace with asterisks) credentials present in exception error
messages that are written to the build log.


SECURITY-3547 / CVE-2025-53651
HTML Publisher Plugin 425 and earlier displays log messages that include
the absolute paths of files archived during the Publish HTML reports
post-build step, exposing information about the Jenkins controller file
system in the build log.


SECURITY-3419 / CVE-2025-53652
Git Parameter Plugin implements a choice build parameter that lists the
configured Git SCM’s branches, tags, pull requests, and revisions.

Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that
the Git parameter value submitted to the build matches one of the offered
choices.

This allows attackers with Item/Build permission to inject arbitrary values
into Git parameters.


SECURITY-3542 / CVE-2025-53653
Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for
Aqua API unencrypted in job `config.xml` files on the Jenkins controller as
part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-3554 / CVE-2025-53654 (storage) & CVE-2025-53655 (masking)
Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key
unencrypted in its global configuration file
`org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on
the Jenkins controller as part of its configuration.

This key can be viewed by users with access to the Jenkins controller file
system.

Additionally, the global configuration form does not mask this key,
increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix.


SECURITY-3556 / CVE-2025-53656 (storage) & CVE-2025-53657 (masking)
ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License
Access Keys, client secrets, and passwords unencrypted in job `config.xml`
files on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3509 / CVE-2025-53658
Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools
URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-3510 / CVE-2025-53742 (storage) & CVE-2025-53743 (masking)
Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys
unencrypted in job `config.xml` files on the Jenkins controller as part of
its configuration.

These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys,
increasing the potential for attackers to observe and capture them.


SECURITY-3532 / CVE-2025-53659 (storage) & CVE-2025-53660 (masking)
QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API
Keys unencrypted in job `config.xml` files on the Jenkins controller as
part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3515 / CVE-2025-53661
Testsigma Test Plan run Plugin stores Testsigma API keys in job
`config.xml` files on the Jenkins controller as part of its configuration.

While these API keys are stored encrypted on disk, in Testsigma Test Plan
run Plugin 1.6 and earlier, the job configuration form does not mask these
API keys, increasing the potential for attackers to observe and capture
them.

As of publication of this advisory, there is no fix.


SECURITY-3541 / CVE-2025-53662
IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys
unencrypted in job `config.xml` files on the Jenkins controller as part of
its configuration.

These keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-3552 / CVE-2025-53663
IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication
tokens unencrypted in job `config.xml` files on the Jenkins controller as
part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-3540 / CVE-2025-53664 (storage) & CVE-2025-53665 (masking)
Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP
authentication tokens unencrypted in job `config.xml` files on the Jenkins
controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3524 / CVE-2025-53666 (storage) & CVE-2025-53667 (masking)
Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in
job `config.xml` files on the Jenkins controller as part of its
configuration.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3527 / CVE-2025-53668 (storage) & CVE-2025-53669 (masking)
VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in
job `config.xml` files on the Jenkins controller as part of its
configuration.

These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3526 / CVE-2025-53670 (storage) & CVE-2025-53671 (masking)
Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and
Credentials Encryption Keys unencrypted in job `config.xml` files on the
Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys,
increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.


SECURITY-3525 / CVE-2025-53672
Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted
in its global configuration file
`org.aerogear.kryptowire.GlobalConfigurationImpl.xml` on the Jenkins
controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-3551 / CVE-2025-53673 (storage) & CVE-2025-53674 (masking)
Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager
integration token unencrypted in its global configuration file
`com.sensedia.configuration.SensediaApiConfiguration.xml` on the Jenkins
controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller
file system.

Additionally, the global configuration form does not mask the token,
increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix.


SECURITY-3516 / CVE-2025-53675
Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in
job `config.xml` files on the Jenkins controller as part of its
configuration.

These passwords can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-3522 / CVE-2025-53676 (storage) & CVE-2025-53677 (masking)
Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment token unencrypted
in its global configuration file `io.jenkins.plugins.xooa.GlobConfig.xml`
on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller
file system.

Additionally, the global configuration form does not mask the token,
increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix.


SECURITY-3518 / CVE-2025-53678
User1st uTester Plugin 1.1 and earlier stores the uTester JWT token
unencrypted in its global configuration file
`io.jenkins.plugins.user1st.utester.UTesterPlugin.xml` on the Jenkins
controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.
Current thread:

Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (Jul 09)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (Sep 03)