CVE-2019-1003021
Description
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenId Connect Authentication Plugin 1.4 and earlier exposes client secret in config.jelly, allowing attackers with browser access to retrieve it.
Vulnerability
The vulnerability exists in the Jenkins OpenId Connect Authentication Plugin version 1.4 and earlier. The file OicSecurityRealm/config.jelly exposes the configured client secret in a way that can be captured by an attacker who can view an administrator's web browser output or control the browser (e.g., through a malicious browser extension) [1], [2].
Exploitation
An attacker needs to be able to view the web browser output of a Jenkins administrator, or control the browser via a malicious extension. The attacker can then retrieve the client secret from the configuration page of the OpenId Connect Authentication Plugin.
Impact
Successful exploitation allows the attacker to retrieve the configured client secret, which could be used to impersonate the Jenkins instance in the OpenID Connect authentication flow, potentially leading to unauthorized access.
Mitigation
The issue is fixed in OpenId Connect Authentication Plugin version 1.5 and later, as per the Jenkins security advisory [1]. Users should upgrade to version 1.5 or newer. No workaround is known.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:oic-authMaven | < 1.5 | 1.5 |
Affected products
2- Range: 1.4 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3858-58w9-wpcgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003021ghsaADVISORY
- jenkins.io/security/advisory/2019-01-28/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.