Moderate severityNVD Advisory· Published Mar 28, 2019· Updated Aug 5, 2024

CVE-2019-1003045

Description

A vulnerability in Jenkins ECS Publisher Plugin 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory to obtain the API token configured in this plugin's configuration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins ECS Publisher Plugin 1.0.0 and earlier exposes API tokens to users with Item/Extended Read permission or local file system access.

Vulnerability

A vulnerability in the Jenkins ECS Publisher Plugin [1] versions 1.0.0 and earlier allows attackers with Item/Extended Read permission, or local file system access to the Jenkins home directory, to obtain the API token configured in the plugin's configuration. The token is stored in plaintext and can be accessed without authentication if the attacker has the necessary permissions or file system access.

Exploitation

An attacker must have either Item/Extended Read permission on the Jenkins configuration, or direct access to the Jenkins home directory on the file system. With these privileges, the attacker can read the configuration file that contains the API token in plaintext, thereby extracting the token.

Impact

Successful exploitation results in disclosure of the ECS API token, which can be used to authenticate to Amazon ECS and potentially perform actions with the same privileges as the Jenkins instance. This may lead to unauthorized access to cloud resources and data breaches.

Mitigation

The vulnerability is fixed in Jenkins ECS Publisher Plugin version 1.1 and later [1]. Users should upgrade to version 1.1 or higher as soon as possible. No workaround is available. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

NVD - CVE-2019-1003045

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
de.eacg:ecs-publisherMaven	< 1.0.1	1.0.1

Affected products

Jenkins Project/ECS Publisher Pluginllm-create
Range: <=1.0.0
ghsa-coords
pkg:maven/de.eacg/ecs-publisher
Range: < 1.0.1
Jenkins Project/S3 publisher Plugincpe-rescue
Range: 1.0.0 and earlier

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-ffj8-w4rj-vr7vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003045ghsaADVISORY
www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107628ghsavdb-entryx_refsource_BIDWEB
jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000