Moderate severityNVD Advisory· Published Apr 4, 2019· Updated Aug 5, 2024

CVE-2019-1003056

Description

Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins WebSphere Deployer Plugin stores credentials in clear text in job config.xml, allowing users with Extended Read or file system access to view them.

Vulnerability

The Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. This affects all versions of the plugin. Users with Extended Read permission or access to the master file system can view these credentials. [1][3]

Exploitation

An attacker needs either Extended Read permission on the Jenkins instance or direct access to the master file system to read the config.xml files. No other prerequisites are required. [1]

Impact

Successful exploitation allows the attacker to view stored credentials in plain text, leading to potential information disclosure and further compromise of associated systems. [1][3]

Mitigation

The Jenkins Security Advisory does not mention a fixed version; users should monitor for plugin updates. As a workaround, restrict Extended Read permission and file system access to trusted users. [1]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:websphere-deployerMaven	<= 1.6.1	—

Affected products

Jenkins Project/WebSphere Deployer Pluginllm-create
ghsa-coords
pkg:maven/org.jenkins-ci.plugins/websphere-deployer
Range: <= 1.6.1
Jenkins Project/DeployHub Plugincpe-rescue
Range: all versions as of 2019-04-03

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rqf2-4ggc-c74wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003056ghsaADVISORY
www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000