CVE-2025-53742
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-11-04
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | applitools_eyes | to 1.16.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Jenkins Applitools Eyes Plugin versions 1.16.5 and earlier involves storing Applitools API keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users who have Item/Extended Read permission or by anyone with access to the Jenkins controller file system.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to Applitools API keys, potentially allowing attackers or unauthorized users to misuse these keys, access sensitive data, or perform actions within the Applitools service that the keys protect.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately restrict access to the Jenkins controller file system and review user permissions to ensure only trusted users have Item/Extended Read permission. Additionally, consider upgrading the Jenkins Applitools Eyes Plugin to a version later than 1.16.5 if available, or remove API keys from job config.xml files and store them securely outside of Jenkins job configurations.