CVE-2025-53669

Vulnerability

Description

The Jenkins VAddy Plugin, used for integrating VAddy web security testing into Jenkins pipelines, fails to mask Vaddy API Auth Keys displayed on the job configuration form. In versions 1.2.8 and earlier, these credentials are shown in plaintext rather than being obfuscated with asterisks, as is standard practice for sensitive fields [1][3]. This flaw increases the risk of credential exposure to anyone who can view the configuration page.

Exploitation

An attacker with access to view a job's configuration—such as a user with Job/Configure permission or a malicious insider—can directly observe the Vaddy API Auth Key in the form field. No additional authentication or network position is required beyond the ability to access the Jenkins UI and the specific job configuration [1][2]. The plugin does not implement proper masking, making the key visible in the browser and potentially in page source or logs.

Impact

Successful capture of the Vaddy API Auth Key allows an attacker to impersonate the legitimate user and interact with the VAddy service, potentially triggering unauthorized security scans, accessing scan results, or incurring costs. The exposure could also lead to further compromise if the key is reused across other services [1][3].

Mitigation

As of the advisory date (2025-07-09), no patched version of the VAddy Plugin has been released. The plugin is listed among unresolved security issues in the Jenkins security advisory [1][2]. Users are advised to restrict access to job configuration forms, monitor for unauthorized access, and consider alternative plugins or manual credential masking until a fix is available.