August 5, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple IBM Products Vulnerabilities
July 14, 2025
GuLoader Malspam Campaign – Active IOCs
July 14, 2025
Multiple IBM Products Vulnerabilities
July 14, 2025
GuLoader Malspam Campaign – Active IOCs
July 14, 2025
Severity
Medium
Analysis Summary
CVE-2025-53658 CVSS:5.4
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
CVE-2025-53659 CVSS:6.5
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53656 CVSS:6.5
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53657 CVSS:4.3
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
CVE-2025-53655 CVSS:5.3
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.
CVE-2025-53654 CVSS:6.5
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
CVE-2025-53653 CVSS:4.3
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
CVE-2025-53652 CVSS:8.2
Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters.
CVE-2025-53651 CVSS:6.3
Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.
CVE-2025-53650 CVSS:7.3
Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.
Impact
- Cross-Site Scripting
- Information Disclosure
- Gain Access
- Privilege Escalation
- Security Bypass
Indicators of Compromise
CVE
CVE-2025-53658
CVE-2025-53659
CVE-2025-53656
CVE-2025-53657
CVE-2025-53655
CVE-2025-53654
CVE-2025-53653
CVE-2025-53652
CVE-2025-53651
CVE-2025-53650
Affected Vendors
- Jenkins
Affected Products
- Jenkins Applitools Eyes Plugin 1.16.5
- Jenkins QMetry Test Management Plugin 1.13
- Jenkins ReadyAPI Functional Testing Plugin 1.11
- Jenkins Statistics Gatherer Plugin 2.0.3
- Jenkins Aqua Security Scanner Plugin 3.2.8
- Jenkins Git Parameter Plugin 439.vb_0e46ca_14534
- Jenkins HTML Publisher Plugin 425
- Jenkins Credentials Binding Plugin 687.v619cb_15e923f
Remediation
Refer to Jenkins Website for patch, upgrade, or suggested workaround information.