CVE-2025-53655

Vulnerability

Description

The Jenkins Statistics Gatherer Plugin, versions 2.0.3 and earlier, does not mask the AWS Secret Key when displayed on the global configuration form [1]. Unlike other credential fields that typically show asterisks, the AWS Secret Key is displayed in plaintext, making it visible to any user who can view this configuration page [1][4]. This issue is categorized as an improper credential masking vulnerability.

Exploitation

Scenario

An attacker who can access the Jenkins controller's global configuration page—for example, a user with Overall/Read permissions—can directly observe the AWS Secret Key [1]. No other authentication or network position is required beyond standard Jenkins web access. The plugin's configuration form does not differentiate between users based on privilege levels when rendering this field, so anyone capable of viewing the settings can capture the secret key [4].

Impact

An attacker who obtains the AWS Secret Key can use it to authenticate directly to AWS services, potentially accessing or modifying cloud resources, exfiltrating data, or incurring costs [1][2]. The severity is assessed as Medium due to the requirement of at least read-level access to Jenkins configuration, but the impact on cloud infrastructure can be significant.

Mitigation

Status

As of the Jenkins Security Advisory 2025-07-09, no fix has been provided for the Statistics Gatherer Plugin. The plugin is listed among several affected plugins without a resolved version [2]. Administrators should restrict access to the global configuration page to trusted users only and consider replacing the plugin's AWS credentials with alternative storage mechanisms, such as Jenkins Credentials Binding, until a patch is released.