CVE-2025-53663
Description
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files, exposing them to users with Item/Extended Read permission or file system access.
Vulnerability
Description
The Jenkins IBM Cloud DevOps Plugin, versions 2.0.16 and earlier, stores SonarQube authentication tokens in plaintext within job config.xml files on the Jenkins controller. This design flaw means the tokens are not encrypted or masked, making them directly readable in the stored configuration files.[1][2][3]
Exploitation
Prerequisites
An attacker must have either the Item/Extended Read permission on a Jenkins job or direct access to the Jenkins controller's file system. With Item/Extended Read, a user can view the job's configuration, including the config.xml file that contains the unencrypted token. Alternatively, any user with filesystem access to the Jenkins controller can read the files directly.[1][3]
Potential
Impact
Successful exploitation allows an attacker to retrieve SonarQube authentication tokens. These tokens could be reused to authenticate to a SonarQube server, potentially granting the attacker access to SonarQube resources or enabling further lateral movement within the CI/CD pipeline, depending on the token's permissions.[1][2]
Mitigation
Status
According to the Jenkins Security Advisory 2025-07-09, this vulnerability affects the IBM Cloud DevOps Plugin, and there is no fix available from the vendor. The plugin is also marked as deprecated. Users are advised to remove the plugin or use an alternative to prevent exposure of credentials.[1][4]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.ibm.devops:ibm-cloud-devopsMaven | <= 2.0.16 | — |
Affected products
2- Range: <=2.0.16
- Jenkins Project/Jenkins IBM Cloud DevOps Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pgrx-5f8q-r5mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53663ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025