Exposure of JWT Tokens in Jenkins User1st uTester Plugin by CloudBees
CVE-2025-53678

6.5MEDIUM

Key Information:

Vendor

Jenkins

Vendor
CVE Published:
9 July 2025

What is CVE-2025-53678?

The Jenkins User1st uTester Plugin, specifically in versions 1.1 and earlier, is susceptible to a security issue where the uTester JWT token is stored unencrypted in the global configuration file on the Jenkins controller. This exposure allows any user with access to the file system of the Jenkins controller to view the sensitive JWT tokens, which could lead to unauthorized access and potential exploitation of user credentials. Organizations utilizing this plugin should take immediate action to mitigate risks and secure their Jenkins environment.

Affected Version(s)

Jenkins User1st uTester Plugin 0 <= 1.1

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53678 : Exposure of JWT Tokens in Jenkins User1st uTester Plugin by CloudBees