CVE-2025-53654
📋 TL;DR
The Jenkins Statistics Gatherer Plugin stores AWS Secret Keys unencrypted in global configuration files, allowing attackers with file system access to steal AWS credentials. This affects Jenkins administrators using the plugin with AWS integration. Users with access to the Jenkins controller file system can view these credentials.
💻 Affected Systems
- Jenkins Statistics Gatherer Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain AWS credentials, leading to unauthorized access to AWS resources, data exfiltration, or resource hijacking for cryptocurrency mining.
Likely Case
Internal users with file system access steal AWS credentials for unauthorized AWS operations or lateral movement.
If Mitigated
Limited to users with file system access; proper access controls prevent credential theft.
🎯 Exploit Status
Exploitation requires access to Jenkins controller file system; no authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.4 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554
Restart Required: Yes
Instructions:
1. Update Jenkins Statistics Gatherer Plugin to version 2.0.4 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply changes. 3. Verify AWS credentials are now encrypted in configuration files.
🔧 Temporary Workarounds
Remove AWS credentials from plugin configuration
allManually remove AWS Secret Key from global configuration file and use alternative credential storage.
Locate and edit $JENKINS_HOME/org.jenkinsci.plugins.statistics.gatherer.StatisticsConfiguration.xml to remove <secretKey> entries
Restrict file system access
linuxLimit access to Jenkins controller file system to trusted administrators only.
Use OS-level permissions (e.g., chmod 600 on configuration files, restrict user access)
🧯 If You Can't Patch
- Remove AWS credentials from plugin configuration and use Jenkins Credentials Plugin for secure storage.
- Implement strict access controls on Jenkins controller file system to prevent unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins Plugin Manager or examine $JENKINS_HOME/org.jenkinsci.plugins.statistics.gatherer.StatisticsConfiguration.xml for unencrypted <secretKey> tags.Check Version:
grep -r 'Statistics Gatherer Plugin' $JENKINS_HOME/plugins/statistics-gatherer/META-INF/MANIFEST.MF | grep 'Plugin-Version'Verify Fix Applied:
Confirm plugin version is 2.0.4+ and check configuration file for encrypted or absent <secretKey> entries.📡 Detection & Monitoring
Log Indicators:
- Unauthorized AWS API calls from Jenkins server IP
- Jenkins plugin configuration file access logs
Network Indicators:
- Unexpected outbound connections to AWS services from Jenkins server
SIEM Query:
source="jenkins.log" AND "StatisticsConfiguration.xml" AND (access OR read)