CVE-2025-53670

MEDIUM4.3EPSS 0.07%

Jenkins Nouvola DiveCloud Plugin vulnerability stores unencrypted credentials

發布日:2025/7/9修改日:2025/11/5

描述

Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

受影響套件(1)

Maven/org.jenkins-ci.plugins:nouvola-divecloudfrom 0, <= 1.08

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53670
PATCHhttps://github.com/jenkinsci/nouvola-divecloud-plugin
WEBhttps://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526
WEBhttp://www.openwall.com/lists/oss-security/2025/07/09/4