CVE-2025-53657

The Jenkins ReadyAPI Functional Testing Plugin (formerly SoapUI Pro Functional Testing Plugin) fails to mask sensitive credentials when they are displayed on the job configuration form. Specifically, the plugin does not replace SLM License Access Keys, client secrets, and passwords with asterisks, leaving them visible in plaintext [1][3]. This behavior is present in version 1.11 and all earlier releases.

An attacker who can view a job's configuration page—typically users with Job/Configure permission—can directly observe these credentials. No additional network access or authentication bypass is required beyond standard Jenkins permissions [2]. The configuration form includes fields such as "SLM License Access Key", "SLM License Client Id", and "Project Password", all of which are displayed unmasked [4].

The impact is significant: an attacker can capture SLM license keys, client secrets, and project passwords. These credentials could be used to activate unauthorized ReadyAPI licenses, access external services tied to the client secrets, or decrypt encrypted project properties [1][3]. This increases the risk of lateral movement or resource abuse within the Jenkins environment.

As of the July 2025 advisory, this vulnerability remains unresolved; no patched version of the plugin has been released [2]. Users are advised to restrict access to job configuration pages to trusted administrators only and to consider using Jenkins' built-in credential store or environment variables for sensitive values as a workaround [1][4].