CVE-2019-1003048
Description
A vulnerability in Jenkins PRQA Plugin 3.1.0 and earlier allows attackers with local file system access to the Jenkins home directory to obtain the unencrypted password from the plugin configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins PRQA Plugin 3.1.0 and earlier stores the password unencrypted in configuration, allowing local attackers with home directory access to obtain it.
Vulnerability
Jenkins PRQA Plugin 3.1.0 and earlier stores the password used to connect to PRQA in plaintext in the plugin configuration file (PRQAScannerConfig.xml) within the Jenkins home directory. This vulnerability allows any attacker with local file system access to the Jenkins home directory to read the unencrypted password.
Exploitation
An attacker needs local file system access to the Jenkins home directory (e.g., through a compromised Jenkins agent, shared filesystem, or other means). The attacker can then navigate to the plugin configuration file and read the password directly. No authentication to Jenkins or user interaction is required beyond having file read access.
Impact
Successful exploitation results in disclosure of the PRQA password, which could be used to gain unauthorized access to the PRQA system or other resources using that credential. The attacker obtains the password in plaintext without privilege escalation within Jenkins itself.
Mitigation
Jenkins PRQA Plugin 2.9.0 switched to storing the password as a credential instead of plaintext configuration [1]. Users should update to version 2.9.0 or later. As of this advisory, no workaround is available for earlier versions; upgrading is the only mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.programmingresearch:prqa-pluginMaven | < 3.1.2 | 3.1.2 |
Affected products
3- Range: <=3.1.0
- Range: 3.1.0 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-mxmw-6qgj-h67xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003048ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107628mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227082607/http://www.securityfocus.com/bid/107628ghsaWEB
News mentions
0No linked articles in our index yet.