PT-2025-28912 · Jenkins · Jenkins Qmetry Test Management Plugin+1
Said Abdesslem Messadi
·
Published
2025-07-09
·
Updated
2025-07-10
·
CVE-2025-53660
CVSS v3.1
4.3
Medium
| AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Jenkins QMetry Test Management Plugin versions 1.13 and earlier
Description:
The Jenkins QMetry Test Management Plugin does not properly protect Qmetry Automation API Keys. These keys are stored unencrypted in job
config.xml files on the Jenkins controller and are visible to users with Item/Extended Read permission or file system access. The job configuration form also displays these API keys without masking, potentially allowing attackers to observe and capture them.Recommendations:
Versions prior to 1.13: At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Qmetry Test Management Plugin