CVE-2025-53663

Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3552	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/09/4

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:ibm_cloud_devops:*:*:*:*:*:jenkins:*:*

History

04 Nov 2025, 22:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/07/09/4 -

Information

Published : 2025-07-09 16:15

Updated : 2025-11-04 22:16

NVD link : CVE-2025-53663

Mitre link : CVE-2025-53663

CVE.ORG link : CVE-2025-53663

JSON object : View

Products Affected

jenkins

ibm_cloud_devops

CWE

CWE-311

Missing Encryption of Sensitive Data

6.5 /10