CVE-2025-53670: 
Java vulnerability analysis and mitigation

CVE-2025-53670 affects the Jenkins Nouvola DiveCloud Plugin versions 1.08 and earlier. The vulnerability was discovered and disclosed on July 9, 2025, and is identified as SECURITY-3526 in the Jenkins security advisory. The issue affects the storage and display of sensitive credentials in the Jenkins plugin (Jenkins Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is categorized as CWE-312 (Cleartext Storage of Sensitive Information). The vulnerability specifically involves the storage of DiveCloud API Keys and Credentials Encryption Keys in unencrypted format within job config.xml files on the Jenkins controller (CISA-ADP).

The vulnerability exposes sensitive credentials to unauthorized access. Users with Item/Extended Read permission or access to the Jenkins controller file system can view the unencrypted DiveCloud API Keys and Credentials Encryption Keys stored in the job config.xml files (Jenkins Advisory).

As of the advisory's publication date, no official fix is available for the Nouvola DiveCloud Plugin. The Jenkins security advisory indicates that the plugin is among those without available fixes (Jenkins Advisory).