CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53660
https://notcve.org/view.php?id=CVE-2025-53660
09 Jul 2025 — Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532 • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53659
https://notcve.org/view.php?id=CVE-2025-53659
09 Jul 2025 — Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53658
https://notcve.org/view.php?id=CVE-2025-53658
09 Jul 2025 — Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53657
https://notcve.org/view.php?id=CVE-2025-53657
09 Jul 2025 — Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53656
https://notcve.org/view.php?id=CVE-2025-53656
09 Jul 2025 — Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556 • CWE-256: Plaintext Storage of a Password •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53655
https://notcve.org/view.php?id=CVE-2025-53655
09 Jul 2025 — Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554 • CWE-256: Plaintext Storage of a Password •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53654
https://notcve.org/view.php?id=CVE-2025-53654
09 Jul 2025 — Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554 • CWE-522: Insufficiently Protected Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53653
https://notcve.org/view.php?id=CVE-2025-53653
09 Jul 2025 — Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3542 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53651
https://notcve.org/view.php?id=CVE-2025-53651
09 Jul 2025 — Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. • https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3547 • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47889
https://notcve.org/view.php?id=CVE-2025-47889
14 May 2025 — In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. • https://www.jenkins.io/security/advisory/2025-05-14/#SECURITY-3481 • CWE-287: Improper Authentication •