Low severityNVD Advisory· Published Apr 4, 2019· Updated Aug 5, 2024

CVE-2019-1003064

Description

Jenkins aws-device-farm Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:aws-device-farmMaven	< 1.26	1.26

Affected products

Jenkins Project/Jenkins Aws Device Farm Pluginv5
Range: all versions as of 2019-04-03

Patches

2d8cfe3cdd29

[SECURITY-835][CVE-2019-1003064] Fix for reported issue on Jenkins Jira.

https://github.com/jenkinsci/aws-device-farm-pluginPiyush AggarwalAug 2, 2019via ghsa

commit

1 file changed · +17 −16

src/main/java/org/jenkinsci/plugins/awsdevicefarm/AWSDeviceFarmRecorder.java+17 −16 modified

@@ -56,6 +56,7 @@
 import hudson.util.FormValidation;
 import hudson.util.IOUtils;
 import hudson.util.ListBoxModel;
+import hudson.util.Secret;
 import net.sf.json.JSONObject;
 import javax.annotation.Nonnull;
 import jenkins.tasks.SimpleBuildStep;
@@ -435,7 +436,7 @@ public String isTestType(String testTypeName) {
     /**
      * Test if the environment selected by Customer is 'Standard' (for marking the radio button).
      *
-     * @param testTypeName
+     * @param environmentToRun
      *            The String representation of the environment.
      * @return Whether or not the test type string matches.
      */
@@ -1129,8 +1130,8 @@ private ScheduleRunTest getScheduleRunTest(EnvVars env, AWSDeviceFarm adf, Proje
      */
     private boolean validateConfiguration(@Nonnull PrintStream log) {
         String roleArn = getRoleArn();
-        String akid = getAkid();
-        String skid = getSkid();
+        String akid = Secret.toString(getAkid());
+        String skid = Secret.toString(getSkid());
 
         // [Required]: Auth Credentials
         if ((roleArn == null || roleArn.isEmpty()) && (akid == null || akid.isEmpty() || skid == null || skid.isEmpty())) {
@@ -1382,7 +1383,7 @@ public String getRoleArn() {
      *
      * @return The access key ID.
      */
-    public String getAkid() {
+    public Secret getAkid() {
         return getDescriptor().akid;
     }
 
@@ -1391,7 +1392,7 @@ public String getAkid() {
      *
      * @return The secret key ID.
      */
-    public String getSkid() {
+    public Secret getSkid() {
         return getDescriptor().skid;
     }
 
@@ -1441,8 +1442,8 @@ public BuildStepMonitor getRequiredMonitorService() {
     @Symbol("devicefarm")
     public static final class DescriptorImpl extends BuildStepDescriptor<Publisher> {
         public String roleArn;
-        public String akid;
-        public String skid;
+        public Secret akid;
+        public Secret skid;
 
         private List<String> projectsCache = new ArrayList<String>();
         private Map<String, List<String>> poolsCache = new HashMap<String, List<String>>();
@@ -1468,7 +1469,7 @@ protected final void setRoleArn(String roleArnValue){
          * @param akidValue
          */
         protected final void setAkid(String akidValue){
-            akid = akidValue;
+            akid = Secret.fromString(akidValue);
         }
 
         /**
@@ -1477,7 +1478,7 @@ protected final void setAkid(String akidValue){
          * @param skidValue
          */
         protected final void setSkid(String skidValue){
-            skid = skidValue;
+            skid = Secret.fromString(skidValue);
         }
 
         /**
@@ -1488,7 +1489,7 @@ protected final void setSkid(String skidValue){
         public AWSDeviceFarm getAWSDeviceFarm() {
             AWSDeviceFarm adf;
             if (roleArn == null || roleArn.isEmpty()) {
-                adf = new AWSDeviceFarm(new BasicAWSCredentials(akid, skid));
+                adf = new AWSDeviceFarm(new BasicAWSCredentials(Secret.toString(akid), Secret.toString(skid)));
             } else {
                 adf = new AWSDeviceFarm(roleArn);
             }
@@ -1503,6 +1504,8 @@ public AWSDeviceFarm getAWSDeviceFarm() {
          */
         @SuppressWarnings("unused")
         public FormValidation doCheckRoleArn(@QueryParameter String roleArn) {
+            String skid = Secret.toString(this.skid);
+            String akid = Secret.toString(this.akid);
             if ((roleArn == null || roleArn.isEmpty()) && (akid == null || akid.isEmpty() || skid == null || skid.isEmpty())) {
                 return FormValidation.error("Required if AKID/SKID isn't present!");
             }
@@ -1530,12 +1533,10 @@ public FormValidation doCheckRoleArn(@QueryParameter String roleArn) {
          */
         @SuppressWarnings("unused")
         public FormValidation doCheckAkid(@QueryParameter String akid) {
+            String skid = Secret.toString(this.skid);
             if ((roleArn == null || roleArn.isEmpty()) && (akid == null || akid.isEmpty())) {
                 return FormValidation.error("Required if IAM Role ARN isn't present!");
             }
-            if ((roleArn == null || roleArn.isEmpty()) && (akid.length() != 20)) {
-                return FormValidation.error("AWS AKIDs are 20 characters long.");
-            }
             if (roleArn != null && !roleArn.isEmpty() && akid != null && !akid.isEmpty() && skid != null && !skid.isEmpty()) {
                 return FormValidation.error("Must specify either IAM Role ARN *OR* AKID/SKID!");
             }
@@ -1550,12 +1551,10 @@ public FormValidation doCheckAkid(@QueryParameter String akid) {
          */
         @SuppressWarnings("unused")
         public FormValidation doCheckSkid(@QueryParameter String skid) {
+            String akid = Secret.toString(this.akid);
             if ((roleArn == null || roleArn.isEmpty()) && (skid == null || skid.isEmpty())) {
                 return FormValidation.error("Required if IAM Role ARN isn't present!");
             }
-            if ((roleArn == null || roleArn.isEmpty()) && (skid.length() != 40)) {
-                return FormValidation.error("AWS SKIDs are 40 characters long.");
-            }
             if (roleArn != null && !roleArn.isEmpty() && akid != null && !akid.isEmpty() && skid != null && !skid.isEmpty()) {
                 return FormValidation.error("Must specify either IAM Role ARN *OR* AKID/SKID!");
             }
@@ -1801,6 +1800,8 @@ public FormValidation doCheckJobTimeoutMinutes(@QueryParameter Integer jobTimeou
          */
         @SuppressWarnings("unused")
         public FormValidation doRefresh() {
+            String skid = Secret.toString(this.skid);
+            String akid = Secret.toString(this.akid);
             if (roleArn != null && !roleArn.isEmpty() && akid != null && !akid.isEmpty() && skid != null && !skid.isEmpty()) {
                 return FormValidation.error("AWS Device Farm IAM Role ARN *OR* AKID/SKID must be set!");
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-phwr-pmh3-m8g2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003064ghsaADVISORY
www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
github.com/jenkinsci/aws-device-farm-plugin/commit/2d8cfe3cdd299c152ca5d13aada51cb69d0fec88ghsaWEB
jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000