Unencrypted AWS Secret Key Exposure in Jenkins Statistics Gatherer Plugin from Jenkins
CVE-2025-53654
6.5MEDIUM
Key Information:
- Vendor
Jenkins
- Vendor
- CVE Published:
- 9 July 2025
What is CVE-2025-53654?
The Jenkins Statistics Gatherer Plugin, versions 2.0.3 and earlier, poses a security risk by storing AWS Secret Keys in an unencrypted format within its global configuration file on the Jenkins controller. This vulnerability allows users who have access to the file system of the Jenkins controller to view these sensitive keys, potentially leading to unauthorized access to AWS resources. It is essential for users and system administrators to upgrade to a patched version and implement best practices for credential management to mitigate this risk.
Affected Version(s)
Jenkins Statistics Gatherer Plugin 0 <= 2.0.3