CVE-2025-53672
Description
Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key in cleartext in a global configuration file, exposing it to users with file system access on the Jenkins controller.
Vulnerability
Description
The Jenkins Kryptowire Plugin, versions 0.2 and earlier, stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller [1][3]. This plaintext storage violates security best practices for handling credentials, leaving the API key accessible to anyone who can read the Jenkins controller's file system [1][2].
Exploitation
Path
To exploit this vulnerability, an attacker must have access to the Jenkins controller's file system [1][3]. This could be achieved by a malicious insider with file read permissions, or through another vulnerability that allows file access [2]. No network-based attack vector is described; the exposure depends on the attacker's ability to read files on the controller [3].
Impact
An attacker who retrieves the unencrypted API key can impersonate the Jenkins instance to the Kryptowire platform, potentially accessing sensitive data or performing unauthorized actions on behalf of the plugin [1][3]. The impact is limited to the functionality and data accessible via that API key.
Mitigation
Status
As of the advisory publication on July 9, 2025, the vulnerability remains unresolved in the Kryptowire Plugin; the Jenkins Security Advisory lists it among plugins with unresolved security issues [2]. No patch version is available, and users are advised to restrict file system access to the Jenkins controller as a workaround [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:kryptowireMaven | <= 0.2 | — |
Affected products
2- Range: <=0.2
- Jenkins Project/Jenkins Kryptowire Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cvg7-767r-w3fqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53672ghsaADVISORY
- www.jenkins.io/security/advisory/2025-07-09/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/07/09/4ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-07-09Jenkins Security Advisories · Jul 9, 2025