CVE-2025-53675: Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users
4.3
Basic Information
JavaTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:warrior | maven | <= 1.2 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability description clearly states that the Warrior Framework Plugin stores passwords unencrypted in job config.xml files. This is a classic Jenkins plugin vulnerability where password fields are stored as plain String objects instead of using the hudson.util.Secret class, which is designed to handle encrypted storage of secrets.
My analysis of the source code of WarriorPluginBuilder.java confirms this. The @DataBoundConstructor for the WarriorPluginBuilder class, which is the main entry point for the plugin's build step configuration, accepts several password parameters (gitConfigPwd, sftpConfigPwd, uploadServerPwd) as String types. These are then stored in String fields within the class.
When a user configures a job using this plugin, Jenkins persists the configuration of the WarriorPluginBuilder instance. The Java serialization to XML that Jenkins performs will write the values of these String fields in cleartext directly into the job's config.xml file.
The vulnerable function is the constructor, as it is responsible for taking the plaintext password from the user configuration and storing it in a field that is not encrypted. The getters for these password fields also contribute to the problem by exposing the plaintext passwords to other parts of the plugin, but the root cause of the storage vulnerability lies in the constructor and the field types.