Miggo Logo
Miggo Vulnerability Database
CVE-2025-53653

CVE-2025-53653:
Jenkins Aqua Security Scanner Plugin vulnerability exposes scanner tokens

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-53653
GHSA ID
GHSA-3wgg-3j4j-3f69
EPSS Score
0.03184%
CWE
CWE-311
Published
7/9/2025
Updated
7/9/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:aqua-security-scannermaven<= 3.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the AquaDockerScannerBuilder class, which is responsible for configuring the Aqua Security scanner build step in Jenkins. The root cause is the insecure handling of the localToken credential. Instead of using Jenkins' built-in hudson.util.Secret class to manage the secret, the plugin stores the token in a plain java.lang.String field.

The methods AquaDockerScannerBuilder (constructor), setLocalToken (setter), and getLocalToken (getter) are all part of the data binding and persistence mechanism that Jenkins uses. The constructor and setter accept the token as a String from the user configuration, and the getter exposes this String to the persistence layer. This results in the token being saved in the job's config.xml file in an unencrypted format, making it accessible to any user with Item/Extended Read permissions or file system access to the Jenkins controller.

Vulnerable functions

org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.AquaDockerScannerBuilder
src/main/java/org/jenkinsci/plugins/aquadockerscannerbuildstep/AquaDockerScannerBuilder.java
This constructor is annotated with @DataBoundConstructor, meaning it's used by Jenkins to create instances from the user's configuration. It accepts the 'localToken' as a plain String and assigns it to a String field. This field is then persisted in the job's config.xml file without encryption.
org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.setLocalToken
src/main/java/org/jenkinsci/plugins/aquadockerscannerbuildstep/AquaDockerScannerBuilder.java
This setter is annotated with @DataBoundSetter, allowing Jenkins to set the 'localToken' property after the object has been constructed. It takes a String argument and stores it in a String field, which is then persisted in plain text.
org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.getLocalToken
src/main/java/org/jenkinsci/plugins/aquadockerscannerbuildstep/AquaDockerScannerBuilder.java
This getter exposes the 'localToken' as a plain String. Jenkins' persistence mechanism (XStream) calls this getter to serialize the object to XML. Because the return type is String, the token is written to config.xml in cleartext. A secure implementation would use the 'hudson.util.Secret' type for the field and the getter.

WAF Protection Rules

WAF Rule

J*nkins *qu* S**urity S**nn*r Plu*in *.*.* *n* **rli*r stor*s S**nn*r Tok*ns *or *qu* *PI un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* tok*ns **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmiss

Reasoning

T** vuln*r**ility li*s in t** `*qu**o*k*rS**nn*r*uil**r` *l*ss, w*i** is r*sponsi*l* *or *on*i*urin* t** *qu* S**urity s**nn*r *uil* st*p in J*nkins. T** root **us* is t** ins**ur* **n*lin* o* t** `lo**lTok*n` *r***nti*l. Inst*** o* usin* J*nkins' *u