Confidential API Key Exposure in Jenkins QMetry Test Management Plugin
CVE-2025-53659
6.5MEDIUM
Key Information:
- Vendor
Jenkins
- Vendor
- CVE Published:
- 9 July 2025
What is CVE-2025-53659?
The QMetry Test Management Plugin for Jenkins versions 1.13 and earlier has a significant security flaw. It stores Qmetry Automation API keys in plaintext within job config.xml files located on the Jenkins controller. This exposes sensitive information to users who possess Item or Extended Read permissions, as well as anyone who can access the Jenkins controller's file system. Proper precautions and remediation strategies must be implemented to protect API keys from unauthorized access.
Affected Version(s)
Jenkins QMetry Test Management Plugin 0 <= 1.13