CVE-2025-53660

Vulnerability

Description

The Jenkins QMetry Test Management Plugin versions 1.13 and earlier fail to mask the Qmetry Automation API Key field on the job configuration form. This means the API key is displayed in plaintext when a user views or edits the job configuration, rather than being replaced with asterisks or other obfuscation [1][3]. The root cause is a missing credential masking mechanism for this sensitive field.

Exploitation

Prerequisites

An attacker needs only the ability to view a job's configuration page in Jenkins. This typically requires at least "Read" or "View" permissions on the job, which are often granted to a wide range of users in shared Jenkins environments. No additional authentication or network position is required beyond standard Jenkins access [1].

Impact

If an attacker captures the exposed Automation API Key, they can authenticate to the QMetry Test Management service using that key. This could allow unauthorized access to test results, modification of test configurations, or other actions permitted by the API key's scope, potentially compromising the integrity and confidentiality of test management data [3].

Mitigation

Status

As of the Jenkins Security Advisory published on July 9, 2025, this vulnerability remains unresolved; no patched version of the plugin has been released [1][2]. Users are advised to restrict access to job configuration pages, monitor for plugin updates, or consider removing the plugin if it is not essential [2].