Security Advisories

CloudBees Security Advisory2025-07-09

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

Jenkins

Improper masking of credentials in Credentials Binding Plugin

SECURITY-3499 / CVE-2025-53650

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:credentials-binding|https://plugins.jenkins.io/credentials-binding]

Description:

Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.

Credentials Binding Plugin 687.689.v1a_f775332fc9 rethrows exceptions that contain credentials, masking those credentials in the error messages.

File path information disclosure in HTML Publisher Plugin

SECURITY-3547 / CVE-2025-53651

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:htmlpublisher|https://plugins.jenkins.io/htmlpublisher]

Description:

HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.

HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

Missing input validation for parameter values in Git Parameter Plugin

SECURITY-3419 / CVE-2025-53652

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N]

Affected plugin: [pill:git-parameter|https://plugins.jenkins.io/git-parameter]

Description:

Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions.

Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices.

This allows attackers with Item/Build permission to inject arbitrary values into Git parameters.

Git Parameter Plugin 444.vca_b_84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.

Tokens stored in plain text by Aqua Security Scanner Plugin

SECURITY-3542 / CVE-2025-53653

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:aqua-security-scanner|https://plugins.jenkins.io/aqua-security-scanner]

Description:

Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

AWS Secret Key stored and displayed in plain text by Statistics Gatherer Plugin

SECURITY-3554 / CVE-2025-53654 (storage), CVE-2025-53655 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:statistics-gatherer|https://plugins.jenkins.io/statistics-gatherer]

Description:

Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration.

This key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

Credentials stored and displayed in plain text by ReadyAPI Functional Testing Plugin

SECURITY-3556 / CVE-2025-53656 (storage), CVE-2025-53657 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:soapui-pro-functional-testing|https://plugins.jenkins.io/soapui-pro-functional-testing]

Description:

ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Applitools Eyes Plugin

SECURITY-3509 / CVE-2025-53658

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:applitools-eyes|https://plugins.jenkins.io/applitools-eyes]

Description:

Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

API keys stored and displayed in plain text by Applitools Eyes Plugin

SECURITY-3510 / CVE-2025-53742 (storage), CVE-2025-53743 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:applitools-eyes|https://plugins.jenkins.io/applitools-eyes]

Description:

Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Applitools Eyes Plugin 1.16.6 masks Applitools API keys displayed on the configuration form, and stores them encrypted once job configurations are saved again.

API keys stored and displayed in plain text by QMetry Test Management Plugin

SECURITY-3532 / CVE-2025-53659 (storage), CVE-2025-53660 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:qmetry-test-management|https://plugins.jenkins.io/qmetry-test-management]

Description:

QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

API keys displayed without masking by Testsigma Test Plan run Plugin

SECURITY-3515 / CVE-2025-53661

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N]

Affected plugin: [pill:testsigma|https://plugins.jenkins.io/testsigma]

Description:

Testsigma Test Plan run Plugin stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration.

While these API keys are stored encrypted on disk, in Testsigma Test Plan run Plugin 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Keys stored in plain text by IFTTT Build Notifier Plugin

SECURITY-3541 / CVE-2025-53662

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:ifttt-build-notifier|https://plugins.jenkins.io/ifttt-build-notifier]

Description:

IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Tokens stored in plain text by IBM Cloud DevOps Plugin

SECURITY-3552 / CVE-2025-53663

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:ibm-cloud-devops|https://plugins.jenkins.io/ibm-cloud-devops]

Description:

IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Tokens stored and displayed in plain text by Apica Loadtest Plugin

SECURITY-3540 / CVE-2025-53664 (storage), CVE-2025-53665 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:ApicaLoadtest|https://plugins.jenkins.io/ApicaLoadtest]

Description:

Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Tokens stored and displayed in plain text by Dead Man's Snitch Plugin

SECURITY-3524 / CVE-2025-53666 (storage), CVE-2025-53667 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:deadmanssnitch|https://plugins.jenkins.io/deadmanssnitch]

Description:

Dead Man’s Snitch Plugin 0.1 stores Dead Man’s Snitch tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

API Auth keys stored and displayed in plain text by VAddy Plugin

SECURITY-3527 / CVE-2025-53668 (storage), CVE-2025-53669 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:vaddy-plugin|https://plugins.jenkins.io/vaddy-plugin]

Description:

VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Keys stored and displayed in plain text by Nouvola DiveCloud Plugin

SECURITY-3526 / CVE-2025-53670 (storage), CVE-2025-53671 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:nouvola-divecloud|https://plugins.jenkins.io/nouvola-divecloud]

Description:

Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

API key stored in plain text by Kryptowire Plugin

SECURITY-3525 / CVE-2025-53672

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:kryptowire|https://plugins.jenkins.io/kryptowire]

Description:

Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Token stored and displayed in plain text by Sensedia Api Platform tools Plugin

SECURITY-3551 / CVE-2025-53673 (storage), CVE-2025-53674 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:sensedia-api-platform|https://plugins.jenkins.io/sensedia-api-platform]

Description:

Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

Passwords stored in plain text by Warrior Framework Plugin

SECURITY-3516 / CVE-2025-53675

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:warrior|https://plugins.jenkins.io/warrior]

Description:

Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Token stored and displayed in plain text by Xooa Plugin

SECURITY-3522 / CVE-2025-53676 (storage), CVE-2025-53677 (masking)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:xooa|https://plugins.jenkins.io/xooa]

Description:

Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

Token stored in plain text by User1st uTester Plugin

SECURITY-3518 / CVE-2025-53678

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:user1st-utester|https://plugins.jenkins.io/user1st-utester]

Description:

User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.504.3.28227
  • CloudBees Cloud Platforms should be upgraded to 2.504.3.28227

Credit

  • Aris ISSAD, Aix Marseille University for SECURITY-3540, SECURITY-3541, SECURITY-3542
  • Kyler Katz for SECURITY-3547
  • Rennan Cockles, R3Ck; and, independently, wakeward; and Ido for SECURITY-3499
  • Roman Nahornyi, Praxis Tech Ltd for SECURITY-3419
  • Romuald Moisan, Aix Marseille University for SECURITY-3516, SECURITY-3522, SECURITY-3524, SECURITY-3525, SECURITY-3526, SECURITY-3551, SECURITY-3552, SECURITY-3554
  • Romuald Moisan, Aix Marseille University, and Vincent Lardet, Aix Marseille University for SECURITY-3527, SECURITY-3556
  • Said Abdesslem Messadi, Aix Marseille University for SECURITY-3509, SECURITY-3510
  • Vincent Lardet, Aix Marseille University, and Romuald Moisan, Aix Marseille University for SECURITY-3518
  • Zaoui Zakariae, Aix Marseille University for SECURITY-3515, SECURITY-3532

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed