Confidential API Key Exposure in Jenkins QMetry Test Management Plugin
CVE-2025-53659

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Qmetry Test Management Plugin
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-53659?

The QMetry Test Management Plugin for Jenkins versions 1.13 and earlier has a significant security flaw. It stores Qmetry Automation API keys in plaintext within job config.xml files located on the Jenkins controller. This exposes sensitive information to users who possess Item or Extended Read permissions, as well as anyone who can access the Jenkins controller's file system. Proper precautions and remediation strategies must be implemented to protect API keys from unauthorized access.

Affected Version(s)

Jenkins QMetry Test Management Plugin 0 <= 1.13

References

https://www.jenkins.io/security/advisory/2025-07-09/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 8, 2025