CVE-2025-53656
Description
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins ReadyAPI Functional Testing Plugin stores credentials unencrypted in job config.xml files, exposing them to users with Item/Extended Read or file system access.
Vulnerability
Description
The Jenkins ReadyAPI Functional Testing Plugin versions 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords in plaintext within job configuration files (config.xml) on the Jenkins controller [1][3]. This occurs because the plugin writes these credentials into job configuration without encryption, violating the principle of secure credential storage.
Exploitation
Prerequisites
An attacker must have either the 'Item/Extended Read' permission on the affected job or direct access to the Jenkins controller's file system [1]. No other special network position or authentication is required beyond these permissions, as the credential data is stored in an easily accessible location.
Impact
A successful exploit allows the attacker to read sensitive credentials such as SLM license access keys, client secrets, and passwords [1][3]. These credentials could be reused to access other systems or services, potentially leading to broader compromise.
Mitigation
Status
There is currently no fix available for this plugin; it is listed among unresolved security issues in the 2025-07-09 advisory [2]. Users are advised to restrict 'Item/Extended Read' permissions to trusted users only and to monitor access to the Jenkins controller file system as a workaround until a patched version is released [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:soapui-pro-functional-testingMaven | <= 1.11 | — |
Affected products
2- Range: <=1.11
- Jenkins Project/Jenkins ReadyAPI Functional Testing Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-884f-p57j-f258ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53656ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025