CVE-2025-53669
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-11-04
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | vaddy | to 1.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Jenkins VAddy Plugin version 1.2.8 and earlier causes the Vaddy API Auth Keys to be displayed in plain text on the job configuration form, without masking. This means that anyone who can view the configuration form can see and potentially capture these sensitive authentication keys.
How can this vulnerability impact me? :
If an attacker gains access to the job configuration form, they can observe and capture the Vaddy API Auth Keys. This could allow unauthorized access to the Vaddy API, potentially leading to misuse of the API, data exposure, or further compromise of systems relying on these keys.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Jenkins VAddy Plugin to a version later than 1.2.8 where the issue is fixed or avoid displaying VAddy API Auth Keys in job configuration forms to prevent exposure. Additionally, review and rotate any exposed API keys to prevent unauthorized access.