Confidential API Key Exposure in Jenkins QMetry Test Management Plugin
CVE-2025-53659

6.5MEDIUM

Key Information:

Vendor

Jenkins

Vendor
CVE Published:
9 July 2025

What is CVE-2025-53659?

The QMetry Test Management Plugin for Jenkins versions 1.13 and earlier has a significant security flaw. It stores Qmetry Automation API keys in plaintext within job config.xml files located on the Jenkins controller. This exposes sensitive information to users who possess Item or Extended Read permissions, as well as anyone who can access the Jenkins controller's file system. Proper precautions and remediation strategies must be implemented to protect API keys from unauthorized access.

Affected Version(s)

Jenkins QMetry Test Management Plugin 0 <= 1.13

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53659 : Confidential API Key Exposure in Jenkins QMetry Test Management Plugin