CVE-2019-1003055
Description
Jenkins FTP publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins FTP publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master, exposing them to users with file system access.
Vulnerability
The Jenkins FTP publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master [1]. Affected versions are those before the fix provided in the Jenkins Security Advisory 2019-04-03 [1]. Users with access to the Jenkins master file system can view these stored credentials [1].
Exploitation
An attacker needs access to the Jenkins master file system to read the global configuration file where the credentials are stored [1]. No authentication beyond file system access is required to view the plaintext credentials [1]. The credentials are stored without any encryption, making them directly readable [1].
Impact
Successful exploitation leads to disclosure of sensitive credentials (e.g., FTP server usernames and passwords) stored in the Jenkins FTP publisher Plugin's configuration [1]. This can compromise the security of the FTP service and any resources accessible via those credentials [1].
Mitigation
Jenkins released a security advisory on 2019-04-03 addressing this vulnerability [1]. Users should update the FTP publisher Plugin to the latest version that includes the fix [1]. As a workaround, users can restrict access to the Jenkins master file system [1]. No known KEV listing exists.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:ftppublisherMaven | <= 1.2 | — |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cwqv-4cf2-5vfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003055ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.