Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN432
_____________________________________________________________________

DATE                : 10/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apica Loadtest Plugin,
                      Applitools Eyes Plugin,
                      Aqua Security Scanner Plugin,
                      Credentials Binding Plugin,
                      Dead Man's Snitch Plugin,
                      Git Parameter Plugin,
                      HTML Publisher Plugin,
                      IBM Cloud DevOps Plugin,
                      IFTTT Build Notifier Plugin,
                      Kryptowire Plugin,
                      Nouvola DiveCloud Plugin,
                      QMetry Test Management Plugin,
                      ReadyAPI Functional Testing Plugin,
                      Sensedia Api Platform tools Plugin,
                      Statistics Gatherer Plugin,
                      Testsigma Test Plan run Plugin,
                      User1st uTester Plugin,
                      VAddy Plugin,
                      Warrior Framework Plugin,
                      Xooa Plugin.

=====================================================================
https://www.jenkins.io/security/advisory/2025-07-09/
_____________________________________________________________________

 Jenkins Security Advisory 2025-07-09

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Apica Loadtest Plugin
    Applitools Eyes Plugin
    Aqua Security Scanner Plugin
    Credentials Binding Plugin
    Dead Man's Snitch Plugin
    Git Parameter Plugin
    HTML Publisher Plugin
    IBM Cloud DevOps Plugin
    IFTTT Build Notifier Plugin
    Kryptowire Plugin
    Nouvola DiveCloud Plugin
    QMetry Test Management Plugin
    ReadyAPI Functional Testing Plugin
    Sensedia Api Platform tools Plugin
    Statistics Gatherer Plugin
    Testsigma Test Plan run Plugin
    User1st uTester Plugin
    VAddy Plugin
    Warrior Framework Plugin
    Xooa Plugin


Descriptions

Improper masking of credentials in Credentials Binding Plugin
SECURITY-3499 / CVE-2025-53650
Severity (CVSS): Medium
Affected plugin: credentials-binding
Description:

Credentials Binding Plugin 687.v619cb_15e923f and earlier does
not properly mask (i.e., replace with asterisks) credentials
present in exception error messages that are written to the
build log.

Credentials Binding Plugin 687.689.v1a_f775332fc9 rethrows
exceptions that contain credentials, masking those credentials
in the error messages.


File path information disclosure in HTML Publisher Plugin
SECURITY-3547 / CVE-2025-53651
Severity (CVSS): Medium
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin 425 and earlier displays log messages
that include the absolute paths of files archived during
the Publish HTML reports post-build step, exposing
information about the Jenkins controller file system in
the build log.

HTML Publisher Plugin 427 displays only the parent directory
name of files archived during the Publish HTML reports
post-build step in its log messages.


Missing input validation for parameter values in Git
Parameter Plugin
SECURITY-3419 / CVE-2025-53652
Severity (CVSS): Medium
Affected plugin: git-parameter
Description:

Git Parameter Plugin implements a choice build parameter
that lists the configured Git SCM’s branches, tags,
pull requests, and revisions.

Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does
not validate that the Git parameter value submitted to the
build matches one of the offered choices.

This allows attackers with Item/Build permission to inject
arbitrary values into Git parameters.

Git Parameter Plugin 444.vca_b_84d3703c2 validates that
the Git parameter value submitted to the build matches one
of the offered choices.


Tokens stored in plain text by Aqua Security Scanner Plugin
SECURITY-3542 / CVE-2025-53653
Severity (CVSS): Medium
Affected plugin: aqua-security-scanner
Description:

Aqua Security Scanner Plugin 3.2.8 and earlier stores
Scanner Tokens for Aqua API unencrypted in job config.xml
files on the Jenkins controller as part of its
configuration.

These tokens can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn
why we announce this.

AWS Secret Key stored and displayed in plain text by
Statistics Gatherer Plugin


SECURITY-3554 / CVE-2025-53654 (storage), CVE-2025-53655
(masking)
Severity (CVSS): Medium
Affected plugin: statistics-gatherer
Description:

Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS
Secret Key unencrypted in its global configuration file
org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml
on the Jenkins controller as part of its configuration.

This key can be viewed by users with access to the Jenkins
controller file system.

Additionally, the global configuration form does not mask
this key, increasing the potential for attackers to observe
and capture it.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Credentials stored and displayed in plain text by ReadyAPI
Functional Testing Plugin
SECURITY-3556 / CVE-2025-53656 (storage), CVE-2025-53657
(masking)
Severity (CVSS): Medium
Affected plugin: soapui-pro-functional-testing
Description:

ReadyAPI Functional Testing Plugin 1.11 and earlier stores
SLM License Access Keys, client secrets, and passwords
unencrypted in job config.xml files on the Jenkins
controller as part of its configuration.

These credentials can be viewed by users with Item/Extended
Read permission or access to the Jenkins controller file
system.

Additionally, the job configuration form does not mask these
credentials, increasing the potential for attackers to
observe and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Stored XSS vulnerability in Applitools Eyes Plugin
SECURITY-3509 / CVE-2025-53658
Severity (CVSS): High
Affected plugin: applitools-eyes
Description:

Applitools Eyes Plugin 1.16.5 and earlier does not escape the
Applitools URL on the build page.

This results in a stored cross-site scripting (XSS)
vulnerability exploitable by attackers with Item/Configure
permission.

Applitools Eyes Plugin 1.16.6 rejects Applitools URLs that
contain HTML metacharacters.


API keys stored and displayed in plain text by Applitools
Eyes Plugin
SECURITY-3510 / CVE-2025-53742 (storage), CVE-2025-53743
(masking)
Severity (CVSS): Medium
Affected plugin: applitools-eyes
Description:

Applitools Eyes Plugin 1.16.5 and earlier stores Applitools
API keys unencrypted in job config.xml files on the Jenkins
controller as part of its configuration.

These API keys can be viewed by users with Item/Extended
Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these
API keys, increasing the potential for attackers to observe
and capture them.

Applitools Eyes Plugin 1.16.6 masks Applitools API keys
displayed on the configuration form, and stores them encrypted
once job configurations are saved again.


API keys stored and displayed in plain text by QMetry Test
Management Plugin
SECURITY-3532 / CVE-2025-53659 (storage), CVE-2025-53660
(masking)
Severity (CVSS): Medium
Affected plugin: qmetry-test-management
Description:

QMetry Test Management Plugin 1.13 and earlier stores Qmetry
Automation API Keys unencrypted in job config.xml files on
the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these
API keys, increasing the potential for attackers to observe
and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


API keys displayed without masking by Testsigma Test Plan
run Plugin
SECURITY-3515 / CVE-2025-53661
Severity (CVSS): Low
Affected plugin: testsigma
Description:

Testsigma Test Plan run Plugin stores Testsigma API keys in
job config.xml files on the Jenkins controller as part of
its configuration.

While these API keys are stored encrypted on disk, in
Testsigma Test Plan run Plugin 1.6 and earlier, the job
configuration form does not mask these API keys, increasing
the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Keys stored in plain text by IFTTT Build Notifier Plugin
SECURITY-3541 / CVE-2025-53662
Severity (CVSS): Medium
Affected plugin: ifttt-build-notifier
Description:

IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT
Maker Channel Keys unencrypted in job config.xml files on
the Jenkins controller as part of its configuration.

These keys can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Tokens stored in plain text by IBM Cloud DevOps Plugin
SECURITY-3552 / CVE-2025-53663
Severity (CVSS): Medium
Affected plugin: ibm-cloud-devops
Description:

IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube
authentication tokens unencrypted in job config.xml files
on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Tokens stored and displayed in plain text by Apica Loadtest
Plugin
SECURITY-3540 / CVE-2025-53664 (storage), CVE-2025-53665
(masking)
Severity (CVSS): Medium
Affected plugin: ApicaLoadtest
Description:

Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest
LTP authentication tokens unencrypted in job config.xml files
on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these
tokens, increasing the potential for attackers to observe and
capture them.

As of publication of this advisory, there is no fix. Learn why
we announce this.


Tokens stored and displayed in plain text by Dead Man's Snitch
Plugin
SECURITY-3524 / CVE-2025-53666 (storage), CVE-2025-53667
(masking)
Severity (CVSS): Medium
Affected plugin: deadmanssnitch
Description:

Dead Man’s Snitch Plugin 0.1 stores Dead Man’s Snitch tokens
unencrypted in job config.xml files on the Jenkins controller
as part of its configuration.

These tokens can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these
tokens, increasing the potential for attackers to observe
and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


API Auth keys stored and displayed in plain text by VAddy
Plugin
SECURITY-3527 / CVE-2025-53668 (storage), CVE-2025-53669
(masking)
Severity (CVSS): Medium
Affected plugin: vaddy-plugin
Description:

VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys
unencrypted in job config.xml files on the Jenkins
controller as part of its configuration.

These API keys can be viewed by users with Item/Extended
Read permission or access to the Jenkins controller file
system.

Additionally, the job configuration form does not mask
these API keys, increasing the potential for attackers
to observe and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Keys stored and displayed in plain text by Nouvola DiveCloud Plugin
SECURITY-3526 / CVE-2025-53670 (storage), CVE-2025-53671 (masking)
Severity (CVSS): Medium
Affected plugin: nouvola-divecloud
Description:

Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud
API Keys and Credentials Encryption Keys unencrypted in job
config.xml files on the Jenkins controller as part of its
configuration.

These API keys can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these
API keys, increasing the potential for attackers to observe
and capture them.

As of publication of this advisory, there is no fix. Learn
why we announce this.


API key stored in plain text by Kryptowire Plugin
SECURITY-3525 / CVE-2025-53672
Severity (CVSS): Low
Affected plugin: kryptowire
Description:

Kryptowire Plugin 0.2 and earlier stores the Kryptowire API
key unencrypted in its global configuration file
org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the
Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the
Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Token stored and displayed in plain text by Sensedia Api
Platform tools Plugin
SECURITY-3551 / CVE-2025-53673 (storage), CVE-2025-53674
(masking)
Severity (CVSS): Medium
Affected plugin: sensedia-api-platform
Description:

Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API
Manager integration token unencrypted in its global
configuration file
com.sensedia.configuration.SensediaApiConfiguration.xml on
the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins
controller file system.

Additionally, the global configuration form does not mask the
token, increasing the potential for attackers to observe and
capture it.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Passwords stored in plain text by Warrior Framework Plugin
SECURITY-3516 / CVE-2025-53675
Severity (CVSS): Medium
Affected plugin: warrior
Description:

Warrior Framework Plugin 1.2 and earlier stores passwords
unencrypted in job config.xml files on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with Item/Extended
Read permission or access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix. Learn
why we announce this.
Token stored and displayed in plain text by Xooa Plugin
SECURITY-3522 / CVE-2025-53676 (storage), CVE-2025-53677
(masking)
Severity (CVSS): Medium
Affected plugin: xooa
Description:

Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment
token unencrypted in its global configuration file
io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins
controller as part of its configuration.

This token can be viewed by users with access to the
Jenkins controller file system.

Additionally, the global configuration form does not mask
the token, increasing the potential for attackers to
observe and capture it.

As of publication of this advisory, there is no fix.
Learn why we announce this.


Token stored in plain text by User1st uTester Plugin
SECURITY-3518 / CVE-2025-53678
Severity (CVSS): Low
Affected plugin: user1st-utester
Description:

User1st uTester Plugin 1.1 and earlier stores the uTester
JWT token unencrypted in its global configuration file
io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on
the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Severity

    SECURITY-3419: Medium
    SECURITY-3499: Medium
    SECURITY-3509: High
    SECURITY-3510: Medium
    SECURITY-3515: Low
    SECURITY-3516: Medium
    SECURITY-3518: Low
    SECURITY-3522: Medium
    SECURITY-3524: Medium
    SECURITY-3525: Low
    SECURITY-3526: Medium
    SECURITY-3527: Medium
    SECURITY-3532: Medium
    SECURITY-3540: Medium
    SECURITY-3541: Medium
    SECURITY-3542: Medium
    SECURITY-3547: Medium
    SECURITY-3551: Medium
    SECURITY-3552: Medium
    SECURITY-3554: Medium
    SECURITY-3556: Medium


Affected Versions

    Apica Loadtest Plugin up to and including 1.10
    Applitools Eyes Plugin up to and including 1.16.5
    Aqua Security Scanner Plugin up to and including 3.2.8
    Credentials Binding Plugin up to and including 687.v619cb_15e923f
    Dead Man's Snitch Plugin up to and including 0.1
    Git Parameter Plugin up to and including 439.vb_0e46ca_14534
    HTML Publisher Plugin up to and including 425
    IBM Cloud DevOps Plugin up to and including 2.0.16
    IFTTT Build Notifier Plugin up to and including 1.2
    Kryptowire Plugin up to and including 0.2
    Nouvola DiveCloud Plugin up to and including 1.08
    QMetry Test Management Plugin up to and including 1.13
    ReadyAPI Functional Testing Plugin up to and including 1.11
    Sensedia Api Platform tools Plugin up to and including 1.0
    Statistics Gatherer Plugin up to and including 2.0.3
    Testsigma Test Plan run Plugin up to and including 1.6
    User1st uTester Plugin up to and including 1.1
    VAddy Plugin up to and including 1.2.8
    Warrior Framework Plugin up to and including 1.2
    Xooa Plugin up to and including 0.0.7


Fix

    Applitools Eyes Plugin should be updated to version 1.16.6

    Credentials Binding Plugin should be updated to version
687.689.v1a_f775332fc9

    Git Parameter Plugin should be updated to version
444.vca_b_84d3703c2

    HTML Publisher Plugin should be updated to version 427

These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by
these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for
the following plugins:

    Apica Loadtest Plugin
    Aqua Security Scanner Plugin
    Dead Man's Snitch Plugin
    IBM Cloud DevOps Plugin
    IFTTT Build Notifier Plugin
    Kryptowire Plugin
    Nouvola DiveCloud Plugin
    QMetry Test Management Plugin
    ReadyAPI Functional Testing Plugin
    Sensedia Api Platform tools Plugin
    Statistics Gatherer Plugin
    Testsigma Test Plan run Plugin
    User1st uTester Plugin
    VAddy Plugin
    Warrior Framework Plugin
    Xooa Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

    Aris ISSAD, Aix Marseille University for SECURITY-3540,
SECURITY-3541, SECURITY-3542
    Kyler Katz for SECURITY-3547
    Rennan Cockles, R3Ck; and, independently, wakeward; and
Ido for SECURITY-3499
    Roman Nahornyi, Praxis Tech Ltd for SECURITY-3419
    Romuald Moisan, Aix Marseille University for SECURITY-3516,
SECURITY-3522, SECURITY-3524, SECURITY-3525, SECURITY-3526,
SECURITY-3551, SECURITY-3552, SECURITY-3554
    Romuald Moisan, Aix Marseille University, and Vincent Lardet,
Aix Marseille University for SECURITY-3527, SECURITY-3556
    Said Abdesslem Messadi, Aix Marseille University for
SECURITY-3509, SECURITY-3510
    Vincent Lardet, Aix Marseille University, and Romuald Moisan,
Aix Marseille University for SECURITY-3518
    Zaoui Zakariae, Aix Marseille University for SECURITY-3515,
SECURITY-3532


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================