Request a Demo
Rewterz
Multiple WordPress Plugins Vulnerabilities
July 16, 2025
Rewterz
North Korean APT Kimsuky aka Black Banshee – Active IOCs
July 16, 2025

Multiple Jenkins Plugins Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2025-53668 CVSS:6.5

Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53669 CVSS:4.3

Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2025-53667 CVSS:5.3

Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them

CVE-2025-53666 CVSS:6.5

Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53665 CVSS:4.3

Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2025-53664 CVSS:6.5

Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53663 CVSS:6.5

Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53662 CVSS:6.5

Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVE-2025-53661 CVSS:4.3

Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

CVE-2025-53660 CVSS:4.3

Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Impact

  • Information Disclosure
  • Gain Access
  • Privilege Escalation

Indicators of Compromise

CVE

  • CVE-2025-53668
  • CVE-2025-53669
  • CVE-2025-53667
  • CVE-2025-53666
  • CVE-2025-53665
  • CVE-2025-53664
  • CVE-2025-53663
  • CVE-2025-53662
  • CVE-2025-53661
  • CVE-2025-53660

Affected Vendors

  • Jenkins

Affected Products

  • Jenkins VAddy Plugin 1.2.8
  • Jenkins Dead Man's Snitch Plugin 0.1
  • Jenkins Apica Loadtest Plugin 1.10
  • Jenkins IBM Cloud DevOps Plugin 2.0.16
  • Jenkins IFTTT Build Notifier Plugin 1.2
  • Jenkins Testsigma Test Plan run Plugin 1.6
  • Jenkins QMetry Test Management Plugin 1.13

Remediation

Refer to Jenkins Website for patch, upgrade, or suggested workaround information.

CVE-2025-53668

CVE-2025-53669

CVE-2025-53667

CVE-2025-53666

CVE-2025-53665

CVE-2025-53664

CVE-2025-53663

CVE-2025-53662

CVE-2025-53661

CVE-2025-53660