CVE-2025-53654
Description
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores AWS Secret Key unencrypted in global config, accessible to users with Jenkins controller file system access.
Vulnerability
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller [1][4]. The secret is stored in plaintext without any encryption or masking, violating best practices for credential management.
Exploitation
An attacker with access to the Jenkins controller file system can read the global configuration file and obtain the plaintext AWS Secret Key [1]. No authentication or special privileges within Jenkins are required beyond file system access; any user with read permissions on the controller's file system can exploit this vulnerability.
Impact
Successful exploitation exposes the AWS Secret Key, potentially allowing an attacker to access and manipulate AWS resources associated with that key [1][2]. This could lead to unauthorized data access, service disruption, or further compromise of cloud infrastructure.
Mitigation
As of the Jenkins Security Advisory 2025-07-09, no fix has been released for the Statistics Gatherer Plugin [1][2]. Users are advised to restrict access to the Jenkins controller file system and consider removing or replacing the plugin if possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins.plugins.statistics.gatherer:statistics-gathererMaven | <= 2.0.3 | — |
Affected products
2- Range: <=2.0.3
- Jenkins Project/Jenkins Statistics Gatherer Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3c9f-c64m-h4wcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53654ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025