Miggo Logo
Miggo Vulnerability Database
CVE-2025-53666

CVE-2025-53666: Jenkins Dead Man's Snitch Plugin vulnerability stores tokens in plain text

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-53666
GHSA ID
GHSA-5pcv-7v3q-hw8j
EPSS Score
0.03907%
CWE
CWE-311
Published
7/9/2025
Updated
7/9/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:deadmanssnitchmaven<= 0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the Dead Man's Snitch Plugin's handling of the API token. The core of the issue is that the token is stored as a plain String field within the DeadMansSnitchNotifier class. Jenkins persists the configuration of build steps, including this notifier, in config.xml files. Due to the use of @DataBoundConstructor with a String type for the token, the token is written to the config.xml file without any encryption. This allows any user with read access to the job configuration or file system access to the Jenkins controller to view the token. The getToken() method also exposes this token in plain text, which can lead to it being displayed in the Jenkins UI. The perform method is the function that uses this unencrypted token to communicate with the Dead Man's Snitch service. The lack of use of Jenkins' Secret class for handling the token is the root cause of this vulnerability.

Vulnerable functions

org.jenkinsci.plugins.deadmanssnitch.DeadMansSnitchNotifier.DeadMansSnitchNotifier
src/main/java/org/jenkinsci/plugins/deadmanssnitch/DeadMansSnitchNotifier.java
This constructor is used by Jenkins to create an instance of the notifier from the configuration. It takes the Dead Man's Snitch token as a plain `String` and stores it in a field. Because the `token` field is a simple `String` and not an encrypted type like `hudson.util.Secret`, Jenkins serializes it to `config.xml` in plain text.
org.jenkinsci.plugins.deadmanssnitch.DeadMansSnitchNotifier.getToken
src/main/java/org/jenkinsci/plugins/deadmanssnitch/DeadMansSnitchNotifier.java
This getter method exposes the stored token. In the Jenkins UI, this would be used to populate the form field, and because it returns a `String`, the token is displayed in plain text, which is a security risk.
org.jenkinsci.plugins.deadmanssnitch.DeadMansSnitchNotifier.perform
src/main/java/org/jenkinsci/plugins/deadmanssnitch/DeadMansSnitchNotifier.java
This method is executed during a build. It retrieves the unencrypted token and uses it to send a notification. While the primary vulnerability is the storage of the token, this function is part of the vulnerable process as it handles the sensitive data.

WAF Protection Rules

WAF Rule

J*nkins **** M*n's Snit** Plu*in *.* stor*s **** M*n's Snit** tok*ns un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins *ontroll*r, w**r* t**y **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmission or ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility li*s in t** **** M*n's Snit** Plu*in's **n*lin* o* t** *PI tok*n. T** *or* o* t** issu* is t**t t** tok*n is stor** *s * pl*in `Strin*` *i*l* wit*in t** `****M*nsSnit**Noti*i*r` *l*ss. J*nkins p*rsists t** *on*i*ur*tion o* *uil* st*