CVE-2025-53676: 
Java vulnerability analysis and mitigation

CVE-2025-53676 is a security vulnerability affecting the Jenkins Xooa Plugin versions 0.0.7 and earlier. The vulnerability was discovered and disclosed on July 9, 2025, and is related to the insecure storage of sensitive credentials. This vulnerability has been assigned a Medium severity rating (Jenkins Advisory).

The vulnerability stems from the plugin storing the Xooa Deployment token unencrypted in its global configuration file (io.jenkins.plugins.xooa.GlobConfig.xml) on the Jenkins controller. The CVSS 3.1 Base Score is 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is tracked under CWE-311 (Missing Encryption of Sensitive Data) (NVD).

The vulnerability allows users with access to the Jenkins controller file system to view the unencrypted Xooa Deployment token. Additionally, the global configuration form does not mask the token, which increases the potential for attackers to observe and capture it during configuration viewing (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability. Users of the Xooa Plugin should implement additional access controls to restrict access to the Jenkins controller file system and monitor access to configuration files (Jenkins Advisory).

The vulnerability was discovered and reported by Romuald Moisan from Aix Marseille University (SECURITY-3522). The Jenkins security team has acknowledged the vulnerability and included it in their July 2025 security advisory (Jenkins Advisory).