CVE-2025-53660
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-11-04
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | qmetry_test_management | to 1.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Jenkins QMetry Test Management Plugin version 1.13 and earlier, where the Qmetry Automation API Keys are not masked on the job configuration form. This means that the API keys are visible in plain text, which increases the risk that attackers can see and capture these sensitive keys.
How can this vulnerability impact me? :
If an attacker observes or captures the unmasked Qmetry Automation API Keys, they could potentially misuse these keys to gain unauthorized access to the QMetry Automation services, leading to security breaches or unauthorized actions within the affected Jenkins environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Jenkins QMetry Test Management Plugin to a version later than 1.13 where the issue is fixed, or avoid displaying Qmetry Automation API Keys in job configuration forms to prevent exposure. Additionally, review and rotate any exposed API keys to reduce risk.