Unencrypted AWS Secret Key Exposure in Jenkins Statistics Gatherer Plugin from Jenkins
CVE-2025-53654

6.5MEDIUM

Key Information:

Vendor

Jenkins

Vendor
CVE Published:
9 July 2025

What is CVE-2025-53654?

The Jenkins Statistics Gatherer Plugin, versions 2.0.3 and earlier, poses a security risk by storing AWS Secret Keys in an unencrypted format within its global configuration file on the Jenkins controller. This vulnerability allows users who have access to the file system of the Jenkins controller to view these sensitive keys, potentially leading to unauthorized access to AWS resources. It is essential for users and system administrators to upgrade to a patched version and implement best practices for credential management to mitigate this risk.

Affected Version(s)

Jenkins Statistics Gatherer Plugin 0 <= 2.0.3

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53654 : Unencrypted AWS Secret Key Exposure in Jenkins Statistics Gatherer Plugin from Jenkins