CVE-2025-53676: Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users

The vulnerability lies in the insecure storage of the Xooa Deployment Token. The analysis of the GlobConfig.java file reveals that the setDeploymentToken method takes the deployment token as a string and saves it without any encryption. The save() method, inherited from GlobalConfiguration, persists the object's state to an XML file, io.jenkins.plugins.xooa.GlobConfig.xml. Consequently, the token is stored in plaintext in this file. The getDeploymentToken method retrieves this unencrypted token. Any user with access to the Jenkins controller's file system can read this file and obtain the token. Additionally, any other part of Jenkins with sufficient permissions could potentially access this token by calling the getDeploymentToken method. The security advisory confirms this finding, stating that the token is stored unencrypted in the global configuration file. Since there is no patch available, the current implementation remains vulnerable.