-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:sensedia-api-platform | maven | <= 1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability, as described in CVE-2025-53673, lies in the insecure storage of the Sensedia API Manager integration token. The analysis of the source code of SensediaApiConfiguration.java confirms this. The tokenManager field, which holds the sensitive token, is of type String. In Jenkins plugin development, sensitive data like tokens and passwords should be stored using the hudson.util.Secret class, which ensures the data is encrypted on disk.
The setTokenManager function is the entry point for the vulnerability. It receives the token from the user interface as a plain String and saves it directly. The save() method, inherited from GlobalConfiguration, serializes the object's state to an XML file (com.sensedia.configuration.SensediaApiConfiguration.xml), and because the tokenManager is a String, it is written in cleartext.
The getTokenManager function is also part of the vulnerability as it exposes the unencrypted token to any other code that calls it.
The vulnerability is further exacerbated by the UI, defined in config.jelly, which uses a standard text input (<f:entry field="tokenManager">) instead of a password input (<f:password>). This means the token is not masked in the Jenkins global configuration screen, increasing the risk of shoulder-surfing attacks.
Since there is no patched version available, the current code is the vulnerable code. The identified functions are directly responsible for handling the unencrypted token, and their modification would be necessary to fix this vulnerability.