Vulnerability Database

309,136

Total vulnerabilities in the database

CVE-2025-53663

Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Published: Jul 9, 2025
Updated: Nov 24, 2025
CVE: CVE-2025-53663
GHSA: GHSA-pgrx-5f8q-r5mq
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-522
CWE-311

OWASP TOP 10:

A2 - Broken Authentication
A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
com.ibm.devops / ibm-cloud-devops	-	2.0.16.x
jenkins / ibm_cloud_devops	-	2.0.16.x

http://www.openwall.com/lists/oss-security/2025/07/09/4
https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3552

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo