CVE-2025-53670
Description
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores API keys and encryption keys unencrypted in job config.xml files, exposing them to users with Item/Extended Read permission or file system access.
Vulnerability
Description
The Nouvola DiveCloud Plugin for Jenkins, in versions 1.08 and earlier, stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller [1][3]. This failure to protect sensitive credentials at rest violates security best practices and exposes the keys to unauthorized access.
Exploitation
To exploit this vulnerability, an attacker needs either the Item/Extended Read permission for a job on the Jenkins controller or direct access to the controller's file system [1][3]. The keys are stored in plaintext within the job configuration files, making them easily retrievable without additional decryption steps.
Impact
Successful exploitation allows an attacker to obtain DiveCloud API Keys and Credentials Encryption Keys [1][3]. With these credentials, an attacker could potentially access and manipulate DiveCloud services, leading to data breaches, service disruption, or further lateral movement within the environment.
Mitigation
According to the Jenkins Security Advisory 2025-07-09, the Nouvola DiveCloud Plugin has an unresolved security issue, meaning no patch is available at this time [1][2]. Users are advised to restrict Item/Extended Read permissions and limit file system access to trusted administrators only. Consider removing or replacing the plugin if possible.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:nouvola-divecloudMaven | <= 1.08 | — |
Affected products
2- Range: <=1.08
- Jenkins Project/Jenkins Nouvola DiveCloud Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-45hr-8gq6-7f7fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53670ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025