CVE-2019-1003067
Description
Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files, allowing users with Extended Read permission or file system access to view them.
Vulnerability
The Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master [1][3]. This affects all versions of the plugin prior to the fix announced in the Jenkins Security Advisory 2019-04-03 [1]. Any job using the plugin will have its associated credentials readable in plain text within the job's configuration file.
Exploitation
An attacker needs either the 'Extended Read' permission on a job in Jenkins, or direct access to the Jenkins master file system [1][3]. No specific authentication or user interaction beyond having these permissions is required; the attacker can simply view the config.xml file of the affected job to extract the stored credentials.
Impact
Successful exploitation reveals the plaintext credentials configured for the Trac Publisher Plugin job. This leads to information disclosure of potentially sensitive credentials, compromising their confidentiality [1][3]. The attacker gains no additional privileges within Jenkins itself but can reuse the exposed credentials against other systems.
Mitigation
The Jenkins Security Advisory 2019-04-03 [1] indicates that a fix was released; users should update the Trac Publisher Plugin to the latest version that addresses this issue. Administration should also review and revoke any credentials that may have been exposed. As per the advisory, the vulnerability is addressed by the plugin update.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:trac-publisher-pluginMaven | <= 1.3 | — |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-577w-62cp-f67hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003067ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.