Unencrypted Credential Storage in Jenkins ReadyAPI Plugin by CloudBees
CVE-2025-53656

6.5MEDIUM

What is CVE-2025-53656?

The Jenkins ReadyAPI Functional Testing Plugin prior to version 1.11 contains a security vulnerability that compromises sensitive information. It stores SLM License Access Keys, client secrets, and passwords in an unencrypted format in the job config.xml files on the Jenkins controller. This information can be accessed by users with the Item/Extended Read permission or those who have access to the Jenkins controller's file system, potentially exposing critical credentials to unauthorized users.

Affected Version(s)

Jenkins ReadyAPI Functional Testing Plugin 0 <= 1.11

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.