4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53653

GHSA ID

GHSA-3wgg-3j4j-3f69

EPSS Score

0.03184%

CWE

CWE-311

Published

7/9/2025

Updated

7/9/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53653

CVE-2025-53653: Jenkins Aqua Security Scanner Plugin vulnerability exposes scanner tokens

Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-53653

GHSA ID

GHSA-3wgg-3j4j-3f69

EPSS Score

0.03184%

CWE

CWE-311

Published

7/9/2025

Updated

7/9/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:aqua-security-scanner	maven	<= 3.2.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the AquaDockerScannerBuilder class, which is responsible for configuring the Aqua Security scanner build step in Jenkins. The root cause is the insecure handling of the localToken credential. Instead of using Jenkins' built-in hudson.util.Secret class to manage the secret, the plugin stores the token in a plain java.lang.String field.

The methods AquaDockerScannerBuilder (constructor), setLocalToken (setter), and getLocalToken (getter) are all part of the data binding and persistence mechanism that Jenkins uses. The constructor and setter accept the token as a String from the user configuration, and the getter exposes this String to the persistence layer. This results in the token being saved in the job's config.xml file in an unencrypted format, making it accessible to any user with Item/Extended Read permissions or file system access to the Jenkins controller.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *qu* S**urity S**nn*r Plu*in *.*.* *n* **rli*r stor*s S**nn*r Tok*ns *or *qu* *PI un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* tok*ns **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmiss

Reasoning

T** vuln*r**ility li*s in t** `*qu**o*k*rS**nn*r*uil**r` *l*ss, w*i** is r*sponsi*l* *or *on*i*urin* t** *qu* S**urity s**nn*r *uil* st*p in J*nkins. T** root **us* is t** ins**ur* **n*lin* o* t** `lo**lTok*n` *r***nti*l. Inst*** o* usin* J*nkins' *u

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-53653: Jenkins Aqua Security Scanner Plugin vulnerability exposes scanner tokens

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI