Unencrypted AWS Secret Key Exposure in Jenkins Statistics Gatherer Plugin from Jenkins
CVE-2025-53654

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Statistics Gatherer Plugin
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-53654?

The Jenkins Statistics Gatherer Plugin, versions 2.0.3 and earlier, poses a security risk by storing AWS Secret Keys in an unencrypted format within its global configuration file on the Jenkins controller. This vulnerability allows users who have access to the file system of the Jenkins controller to view these sensitive keys, potentially leading to unauthorized access to AWS resources. It is essential for users and system administrators to upgrade to a patched version and implement best practices for credential management to mitigate this risk.

Affected Version(s)

Jenkins Statistics Gatherer Plugin 0 <= 2.0.3

References

https://www.jenkins.io/security/advisory/2025-07-09/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 8, 2025