CVE-2025-53662

Vulnerability

Description

The IFTTT Build Notifier Plugin for Jenkins, versions 1.2 and earlier, stores IFTTT Maker Channel Keys in plaintext within job configuration files (config.xml) on the Jenkins controller [1][3]. This issue stems from the plugin's failure to encrypt or mask sensitive credentials before persisting them, violating Jenkins' secure storage best practices. The Maker Channel Key is a secret token used to authenticate with IFTTT's web service, enabling automated notifications for build status [4].

Exploitation

Conditions

An attacker who has been granted Item/Extended Read permission on a Jenkins job can view the config.xml file through the Jenkins web interface and retrieve the stored channel key [1][3]. Additionally, any user with direct access to the Jenkins controller's file system (e.g., operating system access) can read the config.xml files from the jobs directory and extract the key. No elevated privileges or authentication bypass is required beyond those permissions.

Impact

With the compromised IFTTT Maker Channel Key, an attacker could impersonate the Jenkins instance to send arbitrary web requests to IFTTT, potentially triggering maker recipes configured by the Jenkins administrator [4][3]. This could lead to unauthorized actions in external services connected via IFTTT applets, such as posting to social media, modifying smart home devices, or updating project management tools, depending on the recipes in use.

Mitigation

Status

As of the Jenkins Security Advisory published on July 9, 2025, no fixed version of the plugin has been released, and the vulnerability remains unresolved [1][2]. The Jenkins security team advises users to either remove the plugin if it is not essential, or to manually restrict access to job configuration files using file system permissions and carefully manage Item/Extended Read permissions. The plugin appears to be no longer maintained, so a fix is unlikely [4].