CVE-2025-53671 — Jenkins Nouvola DiveCloud Plugin vulnerability does not mask keys on its job con

Description

Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

How to fix CVE-2025-53671

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-53671 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.08

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-53671
PATCHgithub.com/jenkinsci/nouvola-divecloud-plugin
WEBwww.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526
WEBwww.openwall.com/lists/oss-security/2025/07/09/4