CVE-2025-53673: Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens in its global configuration file

July 9, 2025

Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file com.sensedia.configuration.SensediaApiConfiguration.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix.

References

github.com/advisories/GHSA-93j6-jcjw-3rwp
github.com/jenkinsci/sensedia-api-platform-plugin
nvd.nist.gov/vuln/detail/CVE-2025-53673
www.jenkins.io/security/advisory/2025-07-09/

Code Behaviors & Features

Detect and mitigate CVE-2025-53673 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →