Miggo Logo
Miggo Vulnerability Database
CVE-2025-53655

CVE-2025-53655: Jenkins Statistics Gatherer Plugin does not mask AWS Secret Key

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-53655
GHSA ID
GHSA-26x3-7jw5-7mg4
EPSS Score
0.06104%
CWE
CWE-256
Published
7/9/2025
Updated
7/9/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins.plugins.statistics.gatherer:statistics-gatherermaven<= 2.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the improper handling of the AWS Secret Key within the Jenkins Statistics Gatherer Plugin. The root cause is that the awsSecretKey field in the StatisticsConfiguration class is of type String instead of the Jenkins-provided hudson.util.Secret class, which is designed to handle sensitive data.

The analysis of the StatisticsConfiguration.java file reveals that the setAwsSecretKey method directly accepts a plaintext String and persists it to the configuration file via the save() method. The getAwsSecretKey method exposes this plaintext secret. Furthermore, the configure method processes the web UI form submission, binding the plaintext secret from the HTTP request to the configuration object. This leads to the secret key being stored unencrypted on the Jenkins controller's filesystem in org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml and being displayed in plaintext in the web UI, making it accessible to anyone with filesystem access or the ability to view the Jenkins global configuration page.

Vulnerable functions

org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.setAwsSecretKey
src/main/java/org/jenkins/plugins/statistics/gatherer/StatisticsConfiguration.java
This function is a public setter that takes the AWS Secret Key as a plaintext String and stores it in the `awsSecretKey` field. The `save()` method then persists the configuration, including the plaintext secret, to the `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` file without any encryption.
org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.getAwsSecretKey
src/main/java/org/jenkins/plugins/statistics/gatherer/StatisticsConfiguration.java
This function returns the AWS Secret Key as a plaintext String, making it accessible to any part of the Jenkins instance that can call this method.
org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.configure
src/main/java/org/jenkins/plugins/statistics/gatherer/StatisticsConfiguration.java
This function is responsible for binding the submitted form data from the Jenkins global configuration page to the `StatisticsConfiguration` object. When the form is saved, the `awsSecretKey` is passed in plaintext within the request and bound to the `awsSecretKey` field by this method, which then leads to it being saved in plaintext by the `setAwsSecretKey` method.

WAF Protection Rules

WAF Rule

J*nkins St*tisti*s **t**r*r Plu*in *.*.* *n* **rli*r stor*s t** *WS S**r*t K*y un*n*rypt** in its *lo**l *on*i*ur*tion *il* `or*.j*nkins.plu*ins.st*tisti*s.**t**r*r.St*tisti*s*on*i*ur*tion.xml` on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion.

Reasoning

T** vuln*r**ility li*s in t** improp*r **n*lin* o* t** *WS S**r*t K*y wit*in t** J*nkins St*tisti*s **t**r*r Plu*in. T** root **us* is t**t t** `*wsS**r*tK*y` *i*l* in t** `St*tisti*s*on*i*ur*tion` *l*ss is o* typ* `Strin*` inst*** o* t** J*nkins-pro