CVE-2019-1003038
Description
Jenkins Repository Connector Plugin <=1.2.4 stores passwords insecurely, allowing local attackers or those controlling an admin's browser to retrieve them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Repository Connector Plugin <=1.2.4 stores passwords insecurely, allowing local attackers or those controlling an admin's browser to retrieve them.
Vulnerability
The Jenkins Repository Connector Plugin versions 1.2.4 and earlier store user credentials in an insufficiently protected manner within the plugin's configuration [1][3]. The vulnerability exists in the Java source files ArtifactDeployer.java, Repository.java, and UserPwd.java [3].
Exploitation
An attacker can exploit this vulnerability by gaining local file system access to the Jenkins controller or by controlling a Jenkins administrator's web browser (e.g., via a malicious browser extension). No authentication or user interaction is required beyond the initial access condition [1][3].
Impact
Successful exploitation allows the attacker to retrieve the password stored in the plugin configuration, leading to disclosure of credentials used by the plugin to connect to artifact repositories [3].
Mitigation
The Jenkins Security Advisory recommends upgrading the Repository Connector Plugin to a version that does not persist passwords in an insufficiently protected manner. The advisory was published on 2019-03-06 [1]. Users should follow the plugin's upgrade path and check for the latest fixed version. No workaround is documented in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:repository-connectorMaven | < 1.2.5 | 1.2.5 |
Affected products
2- Range: 1.2.4 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-99jc-v8pq-6qm4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003038ghsaADVISORY
- www.securityfocus.com/bid/107476mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-03-06/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227084009/http://www.securityfocus.com/bid/107476ghsaWEB
News mentions
0No linked articles in our index yet.