CVE-2025-53660 – The Jenkins QMetry Test Management Plugin 1.13 ... (How to Fix)

Q: What is the severity of CVE-2025-53660?

CVE-2025-53660 has a CVSS score of 4.3 (MEDIUM). The Jenkins QMetry Test Management Plugin 1.13 and earlier exposes API keys in plain text on job configuration forms instead of masking them. This allows attackers with access to Jenkins configuration pages to capture these credentials. Organizations using vulnerable versions of this Jenkins plugin are affected.

📋 TL;DR

The Jenkins QMetry Test Management Plugin 1.13 and earlier exposes API keys in plain text on job configuration forms instead of masking them. This allows attackers with access to Jenkins configuration pages to capture these credentials. Organizations using vulnerable versions of this Jenkins plugin are affected.

💻 Affected Systems

Products:

Jenkins QMetry Test Management Plugin

Versions: 1.13 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances with the QMetry Test Management Plugin installed and configured with API keys.

📦 What is this software?

Qmetry Test Management by Jenkins

View all CVEs affecting Qmetry Test Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain QMetry API keys, potentially gaining unauthorized access to test management systems, manipulating test results, or accessing sensitive testing data.

🟠

Likely Case

Internal users or attackers with Jenkins access capture API keys, leading to unauthorized API calls to QMetry systems and potential data exposure.

🟢

If Mitigated

With proper access controls, only authorized administrators can view configuration pages, limiting exposure to trusted personnel.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Jenkins job configuration pages where API keys are displayed in plain text.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.14 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532

Restart Required: Yes

Instructions:

1. Update Jenkins QMetry Test Management Plugin to version 1.14 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify API keys are now masked in job configuration forms.

🔧 Temporary Workarounds

Restrict Jenkins Configuration Access

all

Limit access to Jenkins job configuration pages to only authorized administrators using Jenkins role-based access control.

Rotate QMetry API Keys

all

Generate new API keys in QMetry system and update Jenkins configurations to use the new keys.

🧯 If You Can't Patch

Implement strict access controls to limit who can view Jenkins job configuration pages
Regularly rotate QMetry API keys and monitor for unauthorized API usage

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for QMetry Test Management Plugin version. If version is 1.13 or earlier, the system is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins, find 'QMetry Test Management' and check version.

Verify Fix Applied:

After updating to version 1.14 or later, verify that API keys appear masked (as dots or asterisks) in job configuration forms.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to QMetry systems from unexpected IP addresses or Jenkins instances

Network Indicators:

Suspicious outbound connections from Jenkins to QMetry API endpoints

SIEM Query:

source="jenkins.log" AND "QMetry" AND ("API" OR "key")

📊 Metadata

CVE ID: CVE-2025-53660

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-256

EPSS Score: 0.03% exploit probability (8th percentile)

Published: July 9, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53660, you might also want to check these: