CVE-2019-1003051

Vulnerability

The Jenkins IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. This affects all versions of the plugin prior to the fix released in the 2019-04-03 security advisory [1]. The credentials are stored as plaintext without any encryption or obfuscation.

Exploitation

An attacker requires access to the Jenkins controller's file system to read the configuration file. This could be achieved through direct file system access, a separate vulnerability that enables file read, or by having a user account with sufficient permissions to view files on the master node. No other special privileges or user interaction are needed [2].

Impact

Successful exploitation leads to disclosure of credentials stored in the IRC Plugin configuration. These credentials could be used to access external IRC services or other systems if the same credentials are reused. The confidentiality impact is limited to the credentials stored by the plugin [1].

Mitigation

Jenkins released a security advisory on 2019-04-03 recommending users upgrade the IRC Plugin to a version that encrypts credentials [1]. If an upgrade is not immediately possible, administrators should restrict access to the Jenkins master file system to trusted users only. No workaround other than upgrading has been published [3].