CVE-2019-1003072
Description
Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files, allowing users with Extended Read permission or file system access to view them.
Vulnerability
The Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. This affects all versions of the plugin prior to the fix released on 2019-04-03 [1][3]. The credentials are stored in plain text in the job configuration.
Exploitation
An attacker with Extended Read permission on a job, or with access to the Jenkins master file system, can view the credentials. No authentication is required beyond existing permissions. The steps involve accessing the job's config.xml file either through the Jenkins UI (with Extended Read) or direct file system access.
Impact
Successful exploitation leads to disclosure of credentials stored by the plugin, such as passwords or tokens used for WildFly deployment. This could allow an attacker to impersonate the Jenkins instance to WildFly or gain unauthorized access.
Mitigation
The Jenkins security advisory [1] was released on 2019-04-03. Users should update the WildFly Deployer Plugin to the latest version that includes encryption of credentials. Alternatively, ensure that only trusted users have Extended Read permission and restrict file system access. No specific fixed version is mentioned in the provided references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:wildfly-deployerMaven | <= 1.0.2 | — |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8j62-29jg-6hj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003072ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227082017/http://www.securityfocus.com/bid/107790ghsaWEB
News mentions
0No linked articles in our index yet.