Detections
Analytics

Jenkins plugins Multiple Vulnerabilities (2025-07-09)

medium Nessus Plugin ID 241693

Language:

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

 - Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53742)

 - Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2025-53658)

 - Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.
 (CVE-2025-53650)

 - Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. (CVE-2025-53651)

 - Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters. (CVE-2025-53652)

 - Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53653)

 - Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. (CVE-2025-53654)

 - Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. (CVE-2025-53655)

 - Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
 (CVE-2025-53656)

 - Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53657)

 - Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53743)

 - Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53659)

 - Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
 (CVE-2025-53660)

 - Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
 (CVE-2025-53661)

 - Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53662)

 - Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53663)

 - Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53664)

 - Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53665)

 - Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53666)

 - Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53667)

 - Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53668)

 - Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53669)

 - Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53670)

 - Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. (CVE-2025-53671)

 - Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. (CVE-2025-53672)

 - Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. (CVE-2025-53673)

 - Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it.
 (CVE-2025-53674)

 - Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. (CVE-2025-53675)

 - Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. (CVE-2025-53676)

 - Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. (CVE-2025-53677)

 - Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. (CVE-2025-53678)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
 - Apica Loadtest Plugin: See vendor advisory
 - Applitools Eyes Plugin to version 1.16.6 or later
 - Aqua Security Scanner Plugin: See vendor advisory
 - Credentials Binding Plugin to version 687.689.v1a_f775332fc9 or later
 - Dead Man's Snitch Plugin: See vendor advisory
 - Git Parameter Plugin to version 444.vca_b_84d3703c2 or later
 - HTML Publisher Plugin to version 427 or later
 - IBM Cloud DevOps Plugin: See vendor advisory
 - IFTTT Build Notifier Plugin: See vendor advisory
 - Kryptowire Plugin: See vendor advisory
 - Nouvola DiveCloud Plugin: See vendor advisory
 - QMetry Test Management Plugin: See vendor advisory
 - ReadyAPI Functional Testing Plugin: See vendor advisory
 - Sensedia Api Platform tools Plugin: See vendor advisory
 - Statistics Gatherer Plugin: See vendor advisory
 - Testsigma Test Plan run Plugin: See vendor advisory
 - User1st uTester Plugin: See vendor advisory
 - VAddy Plugin: See vendor advisory
 - Warrior Framework Plugin: See vendor advisory
 - Xooa Plugin: See vendor advisory

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2025-07-09

Plugin Details

Severity: Medium

ID: 241693

File Name: jenkins_security_advisory_2025-07-09_plugins.nasl

Version: 1.1

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 7/10/2025

Updated: 7/10/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53658

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2025-53742

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 7/9/2025

Vulnerability Publication Date: 7/9/2025

Reference Information

CVE: CVE-2025-53650, CVE-2025-53651, CVE-2025-53652, CVE-2025-53653, CVE-2025-53654, CVE-2025-53655, CVE-2025-53656, CVE-2025-53657, CVE-2025-53658, CVE-2025-53659, CVE-2025-53660, CVE-2025-53661, CVE-2025-53662, CVE-2025-53663, CVE-2025-53664, CVE-2025-53665, CVE-2025-53666, CVE-2025-53667, CVE-2025-53668, CVE-2025-53669, CVE-2025-53670, CVE-2025-53671, CVE-2025-53672, CVE-2025-53673, CVE-2025-53674, CVE-2025-53675, CVE-2025-53676, CVE-2025-53677, CVE-2025-53678, CVE-2025-53742, CVE-2025-53743