CVE-2025-53670 – The Jenkins Nouvola DiveCloud Plugin 1.08 and e... (How to Fix)

Q: What is the severity of CVE-2025-53670?

CVE-2025-53670 has a CVSS score of 6.5 (MEDIUM). The Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores sensitive API keys and encryption keys unencrypted in job configuration files. This allows users with Item/Extended Read permission or filesystem access to view these credentials, potentially leading to unauthorized access to DiveCloud services. Organizations using the vulnerable plugin versions are affected.

📋 TL;DR

The Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores sensitive API keys and encryption keys unencrypted in job configuration files. This allows users with Item/Extended Read permission or filesystem access to view these credentials, potentially leading to unauthorized access to DiveCloud services. Organizations using the vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Jenkins Nouvola DiveCloud Plugin

Versions: 1.08 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration; any job using DiveCloud credentials is affected.

📦 What is this software?

Nouvola Divecloud by Jenkins

View all CVEs affecting Nouvola Divecloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to DiveCloud API keys, allowing them to manipulate cloud resources, exfiltrate sensitive data, or disrupt services connected to those credentials.

🟠

Likely Case

Internal users with read permissions or compromised Jenkins instances expose API keys, leading to unauthorized API calls or credential misuse.

🟢

If Mitigated

With proper access controls and monitoring, exposure is limited to authorized personnel only, minimizing misuse potential.

🌐 Internet-Facing: MEDIUM - If Jenkins is internet-facing, attackers could exploit this via compromised accounts or other vulnerabilities to access credentials.

🏢 Internal Only: HIGH - Internal users with Item/Extended Read permission can easily view unencrypted credentials in config files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Item/Extended Read permission or filesystem access; no authentication bypass needed beyond those permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.09 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526

Restart Required: Yes

Instructions:

1. Update Jenkins Nouvola DiveCloud Plugin to version 1.09 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply changes. 3. Review and update any stored DiveCloud credentials if necessary.

🔧 Temporary Workarounds

Restrict Item/Extended Read Permissions

all

Limit users with Item/Extended Read permission to only trusted administrators to prevent credential exposure.

Configure via Jenkins Manage Jenkins > Configure Global Security > Project-based Matrix Authorization Strategy

Filesystem Access Control

linux

Restrict filesystem access to Jenkins controller directories containing config.xml files to prevent unauthorized viewing.

chmod 600 /var/lib/jenkins/jobs/*/config.xml
setfacl -m u:jenkins:rw /var/lib/jenkins/jobs/*/config.xml

🧯 If You Can't Patch

Remove DiveCloud credentials from existing jobs and store them securely outside Jenkins.
Audit and monitor access to Jenkins job configuration files and API key usage in DiveCloud.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins Manage Jenkins > Plugin Manager > Installed plugins for 'Nouvola DiveCloud Plugin' version 1.08 or earlier.

Check Version:

grep -r 'Nouvola DiveCloud' /var/lib/jenkins/plugins/*/META-INF/MANIFEST.MF | grep 'Plugin-Version'

Verify Fix Applied:

Verify plugin version is 1.09 or later in Plugin Manager and check that DiveCloud credentials are no longer stored in plaintext in job config.xml files.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Jenkins job configuration files or DiveCloud API logs showing unexpected activity from Jenkins IPs.

Network Indicators:

Unusual outbound connections from Jenkins server to DiveCloud API endpoints at unexpected times.

SIEM Query:

source="jenkins.log" AND ("config.xml" OR "DiveCloud") AND ("access denied" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-53670

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

EPSS Score: 0.02% exploit probability (4.9th percentile)

Published: July 9, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53670, you might also want to check these: