CVE-2025-53659
Description
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml, accessible to users with Item/Extended Read or file system access.
Vulnerability
Description
The Jenkins QMetry Test Management Plugin, in versions 1.13 and earlier, stores Qmetry Automation API Keys in plaintext within job config.xml files on the Jenkins controller [1][3]. This is a classic example of insecure credential storage, where sensitive authentication material is persisted without encryption, making it vulnerable to unauthorized disclosure.
Exploitation
Prerequisites
An attacker with Item/Extended Read permission on a Jenkins job, or direct access to the Jenkins controller's file system, can retrieve the stored API key from the config.xml file [1][3]. The key is not masked or encrypted, so it can be read in its original form.
Impact
With the exposed Automation API Key, an attacker could authenticate to the QMetry service and potentially access or manipulate test management data associated with the Jenkins integration. The exact impact depends on the QMetry instance's permissions, but could include reading test results, modifying configurations, or exfiltrating sensitive testing data.
Mitigation
Status
As of the advisory publication date (2025-07-09), no fix has been released for this plugin [1][2]. Users of QMetry Test Management Plugin are advised to restrict Item/Extended Read permissions to trusted users only, and to monitor the Jenkins controller file system for unauthorized access. The plugin is listed among those with unresolved security issues [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:qmetry-test-managementMaven | <= 1.13 | — |
Affected products
2- Range: <=1.13
- Jenkins Project/Jenkins QMetry Test Management Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p9gh-rpjw-78qgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53659ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025