CVE-2019-1003096
Description
Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml, exposing them to users with Extended Read or file system access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml, exposing them to users with Extended Read or file system access.
Vulnerability
The Jenkins TestFairy Plugin stores credentials (e.g., API tokens) in plaintext in job config.xml files on the Jenkins master. This affects all versions of the plugin as per the official description [3] and the Jenkins security advisory [1].
Exploitation
An attacker with Extended Read permission on a Jenkins job or access to the master file system can read the config.xml file of any job that uses the TestFairy plugin. No additional authentication or user interaction is required beyond the existing permissions.
Impact
Successful exploitation leads to disclosure of the plaintext credentials stored in the job configuration. These credentials may be used to authenticate to the TestFairy service or other systems, posing a risk of unauthorized access and data exposure.
Mitigation
The Jenkins Security Advisory 2019-04-03 [1] addresses this vulnerability. As of the provided references, the specific fixed version is not disclosed. Users should update the TestFairy Plugin to the latest available version from the Jenkins plugin repository.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:TestFairyMaven | < 4.17.2 | 4.17.2 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-ffv8-x822-fx73ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003096ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.