CVE-2025-53742

Vulnerability

Description

The Jenkins Applitools Eyes Plugin version 1.16.5 and earlier stores the Applitools API key unencrypted in job config.xml files on the Jenkins controller [1][3]. This constitutes a cleartext storage of sensitive information within the Jenkins ecosystem, as the API key is a credential used to access the Applitools visual testing service.

Exploitation and

Attack Surface

An attacker can leverage this exposure in two ways. First, any user with the Item/Extended Read permission on a Jenkins job can view the config.xml file via the Jenkins UI, revealing the API key without needing further authentication [1]. Second, any user with direct file system access to the Jenkins controller (e.g., through SSH or a file-sharing mechanism) can retrieve the unencrypted key from the stored job configuration [3]. No additional privileges beyond these access rights are required to extract the secret.

Impact

Successful exploitation allows an attacker to compromise the associated Applitools account. The API key could be used to read or modify visual testing baselines, access test results, or perform other actions authorized by the key within the Applitools service. Given that API keys often grant broad permissions, this can lead to data leakage or manipulation of automated testing pipelines.

Mitigation

Users are advised to upgrade to Applitools Eyes Plugin version 1.16.6, which fixes the issue by ensuring the API key is no longer stored in plaintext in job configurations [1][2]. As a best practice, Jenkins users should consider using the Credentials Binding plugin or environment variables to manage such secrets securely, as noted in the plugin's documentation [4].