Jenkins Security Advisory 2025-07-09

Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.

Credentials Binding Plugin 687.689.v1a_f775332fc9 rethrows exceptions that contain credentials, masking those credentials in the error messages.

HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.

HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions.

Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices.

This allows attackers with Item/Build permission to inject arbitrary values into Git parameters.

Git Parameter Plugin 444.vca_b_84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.

Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration.

This key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that contain HTML metacharacters.

Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Applitools Eyes Plugin 1.16.6 masks Applitools API keys displayed on the configuration form, and stores them encrypted once job configurations are saved again.

QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Testsigma Test Plan run Plugin stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration.

While these API keys are stored encrypted on disk, in Testsigma Test Plan run Plugin 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Dead Man’s Snitch Plugin 0.1 stores Dead Man’s Snitch tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn why we announce this.

Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.