CVE-2025-53676 – io.jenkins.plugins:xooa

Package

Manager: maven
Name: io.jenkins.plugins:xooa
Vulnerable Version: >=0 <=0.0.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00017 pctl0.02644

Details

Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

Metadata

Created: 2025-07-09T18:30:47Z
Modified: 2025-07-09T22:34:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-56h7-r62c-83qp/GHSA-56h7-r62c-83qp.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-56h7-r62c-83qp
Finding: F020
Auto approve: 1