CVE-2025-53656
📋 TL;DR
The Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores sensitive credentials unencrypted in job configuration files on the Jenkins controller. This allows users with Item/Extended Read permission or filesystem access to view SLM License Access Keys, client secrets, and passwords. Organizations using the vulnerable plugin versions are affected.
💻 Affected Systems
- Jenkins ReadyAPI Functional Testing Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive credentials, potentially compromising licensed software access, client authentication systems, and downstream systems that use these credentials.
Likely Case
Internal users with appropriate permissions or attackers who gain filesystem access can harvest credentials for unauthorized access to ReadyAPI services and other integrated systems.
If Mitigated
With strict access controls and monitoring, credential exposure is limited to authorized administrators only, though the fundamental vulnerability remains.
🎯 Exploit Status
Exploitation requires either Item/Extended Read permission on Jenkins or direct filesystem access to the Jenkins controller.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556
Restart Required: Yes
Instructions:
1. Update Jenkins ReadyAPI Functional Testing Plugin to version 1.12 or later via Jenkins Plugin Manager. 2. Restart Jenkins after update. 3. Reconfigure any jobs using the plugin to ensure credentials are properly secured.
🔧 Temporary Workarounds
Restrict Jenkins Filesystem Access
linuxLimit operating system access to Jenkins controller filesystem to authorized administrators only.
chmod 700 /var/lib/jenkins
chown jenkins:jenkins /var/lib/jenkins
Review and Restrict Jenkins Permissions
allAudit and minimize users with Item/Extended Read permission in Jenkins.
🧯 If You Can't Patch
- Audit all Jenkins jobs using ReadyAPI plugin and remove or rotate exposed credentials
- Implement strict access controls on Jenkins controller filesystem and monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for ReadyAPI Functional Testing Plugin version. If version is 1.11 or earlier, system is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Plugin Manager and check 'ReadyAPI Functional Testing Plugin' versionVerify Fix Applied:
Verify plugin version is 1.12 or later in Jenkins plugin manager and check that credentials in job config.xml files are no longer stored in plaintext.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Jenkins controller filesystem
- Suspicious credential usage from Jenkins jobs
Network Indicators:
- Unexpected connections from Jenkins to ReadyAPI or other services using stored credentials
SIEM Query:
source="jenkins" AND (event="filesystem_access" OR event="credential_access")