Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1521
Vulnerability from csaf_certbund
Published
2025-07-09 22:00
Modified
2025-07-09 22:00
Summary
Jenkins Plugins: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.
Angriff
Ein entfernter Angreifer kann mehrere Schwachstellen in verschiedenen Jenkins Plugins ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und um Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
- Sonstiges
- UNIX
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in verschiedenen Jenkins Plugins ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren und um Informationen offenzulegen.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2025-1521 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1521.json" }, { "category": "self", "summary": "WID-SEC-2025-1521 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1521" }, { "category": "external", "summary": "Jenkins Security Advisory 2025-07-09 vom 2025-07-09", "url": "https://www.jenkins.io/security/advisory/2025-07-09/" } ], "source_lang": "en-US", "title": "Jenkins Plugins: Mehrere Schwachstellen", "tracking": { "current_release_date": "2025-07-09T22:00:00.000+00:00", "generator": { "date": "2025-07-10T11:19:43.558+00:00", "engine": { "name": "BSI-WID", "version": "1.4.0" } }, "id": "WID-SEC-W-2025-1521", "initial_release_date": "2025-07-09T22:00:00.000+00:00", "revision_history": [ { "date": "2025-07-09T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "Plugins", "product": { "name": "Jenkins Jenkins Plugins", "product_id": "T013614", "product_identification_helper": { "cpe": "cpe:/a:cloudbees:jenkins:plugins" } } } ], "category": "product_name", "name": "Jenkins" } ], "category": "vendor", "name": "Jenkins" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-53650", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53650" }, { "cve": "CVE-2025-53651", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53651" }, { "cve": "CVE-2025-53652", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53652" }, { "cve": "CVE-2025-53653", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53653" }, { "cve": "CVE-2025-53654", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53654" }, { "cve": "CVE-2025-53655", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53655" }, { "cve": "CVE-2025-53656", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53656" }, { "cve": "CVE-2025-53657", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53657" }, { "cve": "CVE-2025-53658", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53658" }, { "cve": "CVE-2025-53659", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53659" }, { "cve": "CVE-2025-53660", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53660" }, { "cve": "CVE-2025-53661", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53661" }, { "cve": "CVE-2025-53662", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53662" }, { "cve": "CVE-2025-53663", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53663" }, { "cve": "CVE-2025-53664", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53664" }, { "cve": "CVE-2025-53665", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53665" }, { "cve": "CVE-2025-53666", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53666" }, { "cve": "CVE-2025-53667", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53667" }, { "cve": "CVE-2025-53668", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53668" }, { "cve": "CVE-2025-53669", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53669" }, { "cve": "CVE-2025-53670", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53670" }, { "cve": "CVE-2025-53671", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53671" }, { "cve": "CVE-2025-53672", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53672" }, { "cve": "CVE-2025-53673", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53673" }, { "cve": "CVE-2025-53674", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53674" }, { "cve": "CVE-2025-53675", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53675" }, { "cve": "CVE-2025-53676", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53676" }, { "cve": "CVE-2025-53677", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53677" }, { "cve": "CVE-2025-53678", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53678" }, { "cve": "CVE-2025-53742", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53742" }, { "cve": "CVE-2025-53743", "product_status": { "known_affected": [ "T013614" ] }, "release_date": "2025-07-09T22:00:00.000+00:00", "title": "CVE-2025-53743" } ] }
CVE-2025-53650 (GCVE-0-2025-53650)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 20:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Credentials Binding Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53650", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T20:46:31.069947Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T20:47:00.504Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Credentials Binding Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "687.v619cb_15e923f", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:26.473Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3499" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53650", "datePublished": "2025-07-09T15:39:26.473Z", "dateReserved": "2025-07-08T07:51:59.761Z", "dateUpdated": "2025-07-09T20:47:00.504Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53653 (GCVE-0-2025-53653)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Aqua Security Scanner Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53653", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:47.815427Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:36.546Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Aqua Security Scanner Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "3.2.8", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:28.429Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3542" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53653", "datePublished": "2025-07-09T15:39:28.429Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:36.546Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53662 (GCVE-0-2025-53662)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins IFTTT Build Notifier Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53662", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:24.229144Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:37.396Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins IFTTT Build Notifier Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:33.696Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3541" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53662", "datePublished": "2025-07-09T15:39:33.696Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:37.396Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53674 (GCVE-0-2025-53674)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Sensedia Api Platform tools Plugin |
Version: 1.0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53674", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:46:58.282404Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:17.415Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Sensedia Api Platform tools Plugin", "vendor": "Jenkins Project", "versions": [ { "status": "affected", "version": "1.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:40.807Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3551" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53674", "datePublished": "2025-07-09T15:39:40.807Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:17.415Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53658 (GCVE-0-2025-53658)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Applitools Eyes Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53658", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:57.793465Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:05.444Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Applitools Eyes Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.16.5", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:31.371Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3509" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53658", "datePublished": "2025-07-09T15:39:31.371Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:05.444Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53654 (GCVE-0-2025-53654)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Statistics Gatherer Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53654", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:39.900593Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:30.348Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Statistics Gatherer Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "2.0.3", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:29.010Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53654", "datePublished": "2025-07-09T15:39:29.010Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:30.348Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53660 (GCVE-0-2025-53660)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins QMetry Test Management Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53660", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:40.064699Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:51.404Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins QMetry Test Management Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.13", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:32.515Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53660", "datePublished": "2025-07-09T15:39:32.515Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:14:51.404Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53673 (GCVE-0-2025-53673)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Sensedia Api Platform tools Plugin |
Version: 1.0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53673", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:47:57.275970Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:23.388Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Sensedia Api Platform tools Plugin", "vendor": "Jenkins Project", "versions": [ { "status": "affected", "version": "1.0" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:40.223Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3551" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53673", "datePublished": "2025-07-09T15:39:40.223Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:23.388Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53672 (GCVE-0-2025-53672)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Kryptowire Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53672", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:07.917216Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:29.205Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Kryptowire Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "0.2", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:39.579Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53672", "datePublished": "2025-07-09T15:39:39.579Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:29.205Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53668 (GCVE-0-2025-53668)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins VAddy Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53668", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:39.226617Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:55.206Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins VAddy Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.2.8", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:37.219Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3527" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53668", "datePublished": "2025-07-09T15:39:37.219Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:13:55.206Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53675 (GCVE-0-2025-53675)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Warrior Framework Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53675", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:46:50.269812Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:11.179Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Warrior Framework Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:41.411Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3516" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53675", "datePublished": "2025-07-09T15:39:41.411Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:11.179Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53671 (GCVE-0-2025-53671)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Nouvola DiveCloud Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53671", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:15.246360Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:36.287Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Nouvola DiveCloud Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.08", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:39.001Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53671", "datePublished": "2025-07-09T15:39:39.001Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:36.287Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53676 (GCVE-0-2025-53676)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Xooa Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53676", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:46:41.197568Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:04.643Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Xooa Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "0.0.7", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:41.984Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3522" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53676", "datePublished": "2025-07-09T15:39:41.984Z", "dateReserved": "2025-07-08T07:51:59.765Z", "dateUpdated": "2025-07-09T19:13:04.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53655 (GCVE-0-2025-53655)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Statistics Gatherer Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53655", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:31.533142Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:24.586Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Statistics Gatherer Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "2.0.3", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:29.610Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53655", "datePublished": "2025-07-09T15:39:29.610Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:24.586Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53678 (GCVE-0-2025-53678)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins User1st uTester Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53678", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:53:49.343330Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:12:51.823Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins User1st uTester Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:43.280Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3518" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53678", "datePublished": "2025-07-09T15:39:43.280Z", "dateReserved": "2025-07-08T07:51:59.765Z", "dateUpdated": "2025-07-09T19:12:51.823Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53669 (GCVE-0-2025-53669)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins VAddy Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53669", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:30.048911Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:48.784Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins VAddy Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.2.8", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:37.810Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3527" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53669", "datePublished": "2025-07-09T15:39:37.810Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:48.784Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53651 (GCVE-0-2025-53651)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 20:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins HTML Publisher Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53651", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T20:47:22.921845Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T20:47:49.813Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins HTML Publisher Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "425", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Kyler Katz" } ], "descriptions": [ { "lang": "en", "value": "Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:27.086Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3547" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53651", "datePublished": "2025-07-09T15:39:27.086Z", "dateReserved": "2025-07-08T07:51:59.761Z", "dateUpdated": "2025-07-09T20:47:49.813Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53664 (GCVE-0-2025-53664)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Apica Loadtest Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53664", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:08.469832Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:24.814Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Apica Loadtest Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.10", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:34.872Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3540" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53664", "datePublished": "2025-07-09T15:39:34.872Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:24.814Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53743 (GCVE-0-2025-53743)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 17:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Applitools Eyes Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53743", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T17:36:45.433902Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T17:38:39.345Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Applitools Eyes Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.16.5", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:56.051Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3510" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53743", "datePublished": "2025-07-09T15:39:56.051Z", "dateReserved": "2025-07-09T07:21:20.903Z", "dateUpdated": "2025-07-09T17:38:39.345Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53666 (GCVE-0-2025-53666)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Dead Man's Snitch Plugin |
Version: 0.1 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53666", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:53.573834Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:09.906Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Dead Man\u0027s Snitch Plugin", "vendor": "Jenkins Project", "versions": [ { "status": "affected", "version": "0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Dead Man\u0027s Snitch Plugin 0.1 stores Dead Man\u0027s Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:36.057Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3524" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53666", "datePublished": "2025-07-09T15:39:36.057Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:09.906Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53663 (GCVE-0-2025-53663)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins IBM Cloud DevOps Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53663", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:16.565631Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:31.163Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins IBM Cloud DevOps Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "2.0.16", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:34.283Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3552" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53663", "datePublished": "2025-07-09T15:39:34.283Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:31.163Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53665 (GCVE-0-2025-53665)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Apica Loadtest Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53665", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:59.637814Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:18.034Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Apica Loadtest Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.10", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:35.465Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3540" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53665", "datePublished": "2025-07-09T15:39:35.465Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:18.034Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53677 (GCVE-0-2025-53677)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Xooa Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53677", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:46:34.536324Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:12:58.217Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Xooa Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "0.0.7", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:42.556Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3522" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53677", "datePublished": "2025-07-09T15:39:42.556Z", "dateReserved": "2025-07-08T07:51:59.765Z", "dateUpdated": "2025-07-09T19:12:58.217Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53667 (GCVE-0-2025-53667)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Dead Man's Snitch Plugin |
Version: 0.1 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53667", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:45.759807Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:02.674Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Dead Man\u0027s Snitch Plugin", "vendor": "Jenkins Project", "versions": [ { "status": "affected", "version": "0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Dead Man\u0027s Snitch Plugin 0.1 does not mask Dead Man\u0027s Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:36.655Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3524" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53667", "datePublished": "2025-07-09T15:39:36.655Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:02.674Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53659 (GCVE-0-2025-53659)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins QMetry Test Management Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53659", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:49.575860Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:57.596Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins QMetry Test Management Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.13", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:31.936Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53659", "datePublished": "2025-07-09T15:39:31.936Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:14:57.596Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53652 (GCVE-0-2025-53652)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Git Parameter Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53652", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:57.266261Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:43.166Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Git Parameter Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "439.vb_0e46ca_14534", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:27.816Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3419" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53652", "datePublished": "2025-07-09T15:39:27.816Z", "dateReserved": "2025-07-08T07:51:59.761Z", "dateUpdated": "2025-07-09T19:15:43.166Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53742 (GCVE-0-2025-53742)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 17:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Applitools Eyes Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53742", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T17:40:14.804044Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T17:42:04.961Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Applitools Eyes Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.16.5", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:55.473Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3510" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53742", "datePublished": "2025-07-09T15:39:55.473Z", "dateReserved": "2025-07-09T07:21:20.902Z", "dateUpdated": "2025-07-09T17:42:04.961Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53656 (GCVE-0-2025-53656)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins ReadyAPI Functional Testing Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53656", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:21.944833Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-256", "description": "CWE-256 Plaintext Storage of a Password", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:17.999Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins ReadyAPI Functional Testing Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.11", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:30.211Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53656", "datePublished": "2025-07-09T15:39:30.211Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:17.999Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53661 (GCVE-0-2025-53661)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Testsigma Test Plan run Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53661", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:49:32.102427Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:14:45.215Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Testsigma Test Plan run Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.6", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:33.106Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3515" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53661", "datePublished": "2025-07-09T15:39:33.106Z", "dateReserved": "2025-07-08T07:51:59.763Z", "dateUpdated": "2025-07-09T19:14:45.215Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53657 (GCVE-0-2025-53657)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:15
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins ReadyAPI Functional Testing Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53657", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:50:12.031409Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:15:11.504Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins ReadyAPI Functional Testing Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.11", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:30.813Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53657", "datePublished": "2025-07-09T15:39:30.813Z", "dateReserved": "2025-07-08T07:51:59.762Z", "dateUpdated": "2025-07-09T19:15:11.504Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-53670 (GCVE-0-2025-53670)
Vulnerability from cvelistv5
Published
2025-07-09 15:39
Modified
2025-07-09 19:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Jenkins Project | Jenkins Nouvola DiveCloud Plugin |
Version: 0 |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-53670", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-09T18:48:21.580446Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-09T19:13:42.645Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Jenkins Nouvola DiveCloud Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "1.08", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2025-07-09T15:39:38.401Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2025-07-09", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2025-53670", "datePublished": "2025-07-09T15:39:38.401Z", "dateReserved": "2025-07-08T07:51:59.764Z", "dateUpdated": "2025-07-09T19:13:42.645Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…