CVE-2025-53653

The Jenkins Aqua Security Scanner Plugin version 3.2.8 and earlier stores Scanner Tokens for the Aqua API in an unencrypted format within job config.xml files on the Jenkins controller. This vulnerability arises because the plugin fails to encrypt or mask the token before persisting it in the job configuration, contrary to best practices for credential storage [1][3].

The stored tokens can be accessed by any user who has Item/Extended Read permission on a job, or by anyone with direct access to the Jenkins controller's file system. This broad attack surface means that even authenticated users with limited permissions may be able to retrieve the token, especially in multi-tenant Jenkins environments [2].

An attacker who obtains an unencrypted Scanner Token can potentially use it to authenticate to the Aqua API, gaining the same privileges as the legitimate token holder. This could lead to unauthorized access to Aqua Security services, including scanning results and configuration, depending on the token's scope [1][3].

As of the advisory date (2025-07-09), the vulnerability remains unpatched; no fixed version of the plugin has been released. Users are advised to restrict Item/Extended Read permissions to trusted users and to monitor access to the Jenkins controller file system until a security update is available [2].