Exposure of JWT Tokens in Jenkins User1st uTester Plugin by CloudBees
CVE-2025-53678

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins User1st Utester Plugin
Vendor: CVE Published:; 9 July 2025

What is CVE-2025-53678?

The Jenkins User1st uTester Plugin, specifically in versions 1.1 and earlier, is susceptible to a security issue where the uTester JWT token is stored unencrypted in the global configuration file on the Jenkins controller. This exposure allows any user with access to the file system of the Jenkins controller to view the sensitive JWT tokens, which could lead to unauthorized access and potential exploitation of user credentials. Organizations utilizing this plugin should take immediate action to mitigate risks and secure their Jenkins environment.

Affected Version(s)

Jenkins User1st uTester Plugin 0 <= 1.1

References

https://www.jenkins.io/security/advisory/2025-07-09/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 9, 2025
Vulnerability Reserved
Jul 8, 2025