Jenkins VAddy Plugin API Key Exposure Vulnerability
CVE-2025-53668

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Vaddy Plugin
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-53668?

The Jenkins VAddy Plugin (version 1.2.8 and earlier) poses a security risk by storing API authentication keys in an unencrypted format within the job config.xml files on the Jenkins controller. This lax security practice allows users with Item/Extended Read permissions, or who have access to the Jenkins controller's file system, to potentially view these sensitive keys, which could lead to unauthorized access and manipulation of linked services. It is crucial for users and administrators to assess their Jenkins installation and consider implementing measures to secure their jobs and associated configurations.

Affected Version(s)

Jenkins VAddy Plugin 0 <= 1.2.8

References

https://www.jenkins.io/security/advisory/2025-07-09/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 8, 2025