The Jenkins Aqua Security Scanner Plugin, versions 3.2.8 and earlier, contains a vulnerability (CVE-2025-53653) where Scanner Tokens for the Aqua API are stored unencrypted within the job config.xml files on the Jenkins controller. These tokens are sensitive credentials used to authenticate and interact with Aqua Security scanning services. Because the tokens are stored in plaintext, any user with Item/Extended Read permissions within Jenkins or any actor with access to the Jenkins controller's file system can view these tokens. This exposure violates secure credential storage best practices (CWE-311: Missing Encryption of Sensitive Data). The vulnerability does not require user interaction and can be exploited remotely if the attacker has the necessary Jenkins permissions or file system access. The CVSS score of 4.3 reflects a medium severity, primarily due to the confidentiality impact, low attack complexity, and the requirement for some privileges. No integrity or availability impacts are noted. No patches or fixes are currently linked, so mitigation relies on access control hardening and credential management. The vulnerability could allow attackers to misuse the Aqua API, potentially gaining unauthorized insight into scanning results or manipulating scan configurations, which could aid further attacks or evade detection.

For European organizations, this vulnerability poses a risk of credential leakage within Jenkins environments that use the Aqua Security Scanner Plugin. Exposure of API tokens can lead to unauthorized access to Aqua Security scanning services, potentially allowing attackers to gather sensitive information about container or application security posture or manipulate scan results. This could undermine the security validation processes integral to DevOps pipelines, increasing the risk of deploying vulnerable or compromised software. Organizations with multi-tenant Jenkins setups or those granting broad read permissions are at higher risk. The confidentiality breach could also facilitate lateral movement or privilege escalation within the CI/CD infrastructure. While no direct availability or integrity impacts are reported, the indirect consequences could affect compliance with security standards and regulatory requirements prevalent in Europe, such as GDPR, due to improper handling of sensitive credentials.

European organizations should immediately audit Jenkins instances for the presence of the Aqua Security Scanner Plugin version 3.2.8 or earlier. Access to Jenkins controllers and job configuration files must be strictly limited to trusted administrators. Implement role-based access controls to minimize users with Item/Extended Read permissions. Rotate all exposed Aqua API Scanner Tokens and replace them with new credentials stored securely using Jenkins credentials plugins or external secret management solutions that encrypt secrets at rest. Monitor Jenkins logs and access patterns for unusual activity related to token usage. Consider isolating Jenkins controllers from broader network access and enforcing file system permissions to prevent unauthorized access. Until an official patch is released, organizations should evaluate disabling the plugin if feasible or migrating to alternative scanning tools with secure credential handling. Regularly review and update CI/CD security policies to include secure storage and handling of API tokens and secrets.