Vulnerability-Lookup

CVE-2025-53672 (GCVE-0-2025-53672)

Vulnerability from cvelistv5 – Published: 2025-07-09 15:39 – Updated: 2025-11-04 21:12

Summary

Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Assigner

jenkins

References

1 reference

URL	Tags
https://www.jenkins.io/security/advisory/2025-07-…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Jenkins Project	Jenkins Kryptowire Plugin	Affected: 0 , ≤ 0.2 (maven)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-53672",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T18:48:07.917216Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-312",
                "description": "CWE-312 Cleartext Storage of Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T19:13:29.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:12:24.023Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Jenkins Kryptowire Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "0.2",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-09T15:39:39.579Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2025-07-09",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2025-53672",
    "datePublished": "2025-07-09T15:39:39.579Z",
    "dateReserved": "2025-07-08T07:51:59.764Z",
    "dateUpdated": "2025-11-04T21:12:24.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-53672",
      "date": "2026-05-12",
      "epss": "0.00105",
      "percentile": "0.28075"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53672\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2025-07-09T16:15:26.713\",\"lastModified\":\"2025-11-04T22:16:25.177\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.\"},{\"lang\":\"es\",\"value\":\"Jenkins Kryptowire Plugin 0.2 y versiones anteriores almacenan la clave API de Kryptowire sin cifrar en su archivo de configuraci\u00f3n global en el controlador Jenkins, donde los usuarios con acceso al sistema de archivos del controlador Jenkins pueden verla. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:kryptowire:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"0.2\",\"matchCriteriaId\":\"A24D6AAF-9F50-412D-B10A-8815737815B4\"}]}]}],\"references\":[{\"url\":\"https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/07/09/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/07/09/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:12:24.023Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53672\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-09T18:48:07.917216Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-312\", \"description\": \"CWE-312 Cleartext Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-09T18:48:09.703Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Jenkins Project\", \"product\": \"Jenkins Kryptowire Plugin\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"0.2\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525\", \"name\": \"Jenkins Security Advisory 2025-07-09\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.\"}], \"providerMetadata\": {\"orgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"shortName\": \"jenkins\", \"dateUpdated\": \"2025-07-09T15:39:39.579Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53672\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:12:24.023Z\", \"dateReserved\": \"2025-07-08T07:51:59.764Z\", \"assignerOrgId\": \"39769cd5-e6e2-4dc8-927e-97b3aa056f5b\", \"datePublished\": \"2025-07-09T15:39:39.579Z\", \"assignerShortName\": \"jenkins\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

BDU:2025-08574

Vulnerability from fstec - Published: 09.07.2025

Title

Уязвимость плагина Kryptowire сервера автоматизации Jenkins, связанная с хранением ключей в незашифрованном виде, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Description

Уязвимость плагина Kryptowire сервера автоматизации Jenkins связана с хранением ключей в незашифрованном виде в файле org.aerogear.kryptowire.GlobalConfigurationImpl.xml. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vendor

CD Foundation

Software Name

Kryptowire

Software Version

до 0.2 включительно (Kryptowire)

Possible Mitigations

Использование рекомендаций: Компенсирующие меры: - использование межсетевого экрана уровня приложений (WAF) для фильтрации пользовательского ввода; - использование виртуальных частных сетей для организации удаленного доступа (VPN).

Reference

https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525

CWE

CWE-312

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "CD Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 0.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Kryptowire)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u0432\u0432\u043e\u0434\u0430;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u0447\u0430\u0441\u0442\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0439 \u0434\u043b\u044f \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u0438 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 (VPN).",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "09.07.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "16.07.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "16.07.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-08574",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-53672",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Kryptowire",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0433\u0438\u043d\u0430 Kryptowire \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 Jenkins, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u043a\u043b\u044e\u0447\u0435\u0439 \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 (CWE-312)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0433\u0438\u043d\u0430 Kryptowire \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 Jenkins \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u0435\u043c \u043a\u043b\u044e\u0447\u0435\u0439 \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435 \u0432 \u0444\u0430\u0439\u043b\u0435 org.aerogear.kryptowire.GlobalConfigurationImpl.xml. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-312",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

GHSA-CVG7-767R-W3FQ

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:12

Summary

Jenkins Kryptowire Plugin vulnerability stores unencrypted Kryptowire API key

Details

Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file org.aerogear.kryptowire.GlobalConfigurationImpl.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:kryptowire"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T21:38:13Z",
    "nvd_published_at": "2025-07-09T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file `org.aerogear.kryptowire.GlobalConfigurationImpl.xml` on the Jenkins controller as part of its configuration.\n\nThis API key can be viewed by users with access to the Jenkins controller file system.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-cvg7-767r-w3fq",
  "modified": "2025-11-05T20:12:54Z",
  "published": "2025-07-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53672"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/kryptowire-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Kryptowire Plugin vulnerability stores unencrypted Kryptowire API key"
}

WID-SEC-W-2025-1521

Vulnerability from csaf_certbund - Published: 2025-07-09 22:00 - Updated: 2025-07-09 22:00

Summary

Jenkins Plugins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterstützung bei Softwareentwicklungen aller Art.

Angriff: Ein entfernter Angreifer kann mehrere Schwachstellen in verschiedenen Jenkins Plugins ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und um Informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-53650

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53651

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53652

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53653

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53654

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53655

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53656

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53657

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53658

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53659

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53660

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53661

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53662

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53663

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53664

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53665

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53666

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53667

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53668

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53669

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53670

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53671

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53672

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53673

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53674

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53675

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53676

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53677

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53678

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53742

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

CVE-2025-53743

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Jenkins Jenkins Plugins Jenkins / Jenkins	`cpe:/a:cloudbees:jenkins:plugins`	Plugins

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.jenkins.io/security/advisory/2025-07-09/	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Jenkins ist ein erweiterbarer, webbasierter Integration Server zur kontinuierlichen Unterst\u00fctzung bei Softwareentwicklungen aller Art.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter Angreifer kann mehrere Schwachstellen in verschiedenen Jenkins Plugins ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren und um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1521 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1521.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1521 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1521"
      },
      {
        "category": "external",
        "summary": "Jenkins Security Advisory 2025-07-09 vom 2025-07-09",
        "url": "https://www.jenkins.io/security/advisory/2025-07-09/"
      }
    ],
    "source_lang": "en-US",
    "title": "Jenkins Plugins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-09T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-10T11:19:43.558+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1521",
      "initial_release_date": "2025-07-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Plugins",
                "product": {
                  "name": "Jenkins Jenkins Plugins",
                  "product_id": "T013614",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:cloudbees:jenkins:plugins"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Jenkins"
          }
        ],
        "category": "vendor",
        "name": "Jenkins"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-53650",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53650"
    },
    {
      "cve": "CVE-2025-53651",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53651"
    },
    {
      "cve": "CVE-2025-53652",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53652"
    },
    {
      "cve": "CVE-2025-53653",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53653"
    },
    {
      "cve": "CVE-2025-53654",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53654"
    },
    {
      "cve": "CVE-2025-53655",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53655"
    },
    {
      "cve": "CVE-2025-53656",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53656"
    },
    {
      "cve": "CVE-2025-53657",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53657"
    },
    {
      "cve": "CVE-2025-53658",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53658"
    },
    {
      "cve": "CVE-2025-53659",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53659"
    },
    {
      "cve": "CVE-2025-53660",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53660"
    },
    {
      "cve": "CVE-2025-53661",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53661"
    },
    {
      "cve": "CVE-2025-53662",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53662"
    },
    {
      "cve": "CVE-2025-53663",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53663"
    },
    {
      "cve": "CVE-2025-53664",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53664"
    },
    {
      "cve": "CVE-2025-53665",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53665"
    },
    {
      "cve": "CVE-2025-53666",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53666"
    },
    {
      "cve": "CVE-2025-53667",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53667"
    },
    {
      "cve": "CVE-2025-53668",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53668"
    },
    {
      "cve": "CVE-2025-53669",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53669"
    },
    {
      "cve": "CVE-2025-53670",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53670"
    },
    {
      "cve": "CVE-2025-53671",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53671"
    },
    {
      "cve": "CVE-2025-53672",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53672"
    },
    {
      "cve": "CVE-2025-53673",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53673"
    },
    {
      "cve": "CVE-2025-53674",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53674"
    },
    {
      "cve": "CVE-2025-53675",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53675"
    },
    {
      "cve": "CVE-2025-53676",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53676"
    },
    {
      "cve": "CVE-2025-53677",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53677"
    },
    {
      "cve": "CVE-2025-53678",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53678"
    },
    {
      "cve": "CVE-2025-53742",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53742"
    },
    {
      "cve": "CVE-2025-53743",
      "product_status": {
        "known_affected": [
          "T013614"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53743"
    }
  ]
}

FKIE_CVE-2025-53672

Vulnerability from fkie_nvd - Published: 2025-07-09 16:15 - Updated: 2025-11-04 22:16

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	jenkinsci-cert@googlegroups.com	https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/07/09/4

Impacted products

	Vendor	Product	Version
	jenkins	kryptowire	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:kryptowire:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "A24D6AAF-9F50-412D-B10A-8815737815B4",
              "versionEndIncluding": "0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system."
    },
    {
      "lang": "es",
      "value": "Jenkins Kryptowire Plugin 0.2 y versiones anteriores almacenan la clave API de Kryptowire sin cifrar en su archivo de configuraci\u00f3n global en el controlador Jenkins, donde los usuarios con acceso al sistema de archivos del controlador Jenkins pueden verla. "
    }
  ],
  "id": "CVE-2025-53672",
  "lastModified": "2025-11-04T22:16:25.177",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-09T16:15:26.713",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3525"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-312"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-53672 (GCVE-0-2025-53672)

BDU:2025-08574

GHSA-CVG7-767R-W3FQ

WID-SEC-W-2025-1521

FKIE_CVE-2025-53672

Tags

Sightings

Nomenclature