CVE-2025-53661 – io.jenkins.plugins:testsigma

Package

Manager: maven
Name: io.jenkins.plugins:testsigma
Vulnerable Version: >=0 <=1.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00032 pctl0.07699

Details

Jenkins Testsigma Test Plan vulnerability exposes API keys via job configuration form Jenkins Testsigma Test Plan run Plugin stores Testsigma API keys in job `config.xml` files on the Jenkins controller as part of its configuration. While these API keys are stored encrypted on disk, in Testsigma Test Plan run Plugin 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Metadata

Created: 2025-07-09T18:30:46Z
Modified: 2025-07-09T21:14:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-8wp4-r84g-gcmw/GHSA-8wp4-r84g-gcmw.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-8wp4-r84g-gcmw
Finding: F035
Auto approve: 1