CVE-2025-53665

Vulnerability

Description The Jenkins Apica Loadtest Plugin, in versions 1.10 and earlier, fails to properly mask Apica Loadtest LTP authentication tokens when they are displayed on the job configuration form. This flaw exposes the authentication token, which is used to authenticate with the Apica Loadtest API endpoint, in plain text [1][3].

Exploitation

Context An attacker who can view the job configuration page in Jenkins—such as a user with at least Job/Read permission or someone who can trick a user into viewing that page—can observe the unmasked token. The token is necessary for integrating Jenkins with Apica Loadtest and is typically stored as a credential field in the plugin configuration [4]. No special network access or additional authentication bypass is required beyond the ability to see the configuration UI.

Impact

If captured, the LTP authentication token could be used to authenticate to the Apica Loadtest API on behalf of the Jenkins instance. This could allow an attacker to initiate load tests, access test results, or potentially modify load test configurations, depending on the token's scope and permissions. The disclosure of the token increases the risk of unauthorized actions within the Apica Loadtest service [1][3].

Mitigation

Status As of the Jenkins Security Advisory published on July 9, 2025, the issue remains unpatched; the advisory lists the Apica Loadtest Plugin among plugins with unresolved security issues [2]. Users are advised to restrict access to the Jenkins UI, limit the number of users with Job/Read permission, or consider alternative load testing integrations until a fix is released.