CVE-2019-1010241

Vulnerability

Overview

The Jenkins Credentials Binding Plugin version 1.17 suffers from CWE-257: Storing Passwords in a Recoverable Format [1]. The issue manifests in the config-variables.jelly file, specifically at line 30 where the passwordVariable is handled. Instead of securely handling credential values, the plugin stores them in a format that allows plaintext recovery [1].

Exploitation

Prerequisites

An attacker must have authenticated access to a Jenkins instance and the ability to create and execute a job [1]. This does not require special privileges beyond being a valid Jenkins user. By crafting a job that utilizes the credentials binding functionality, the attacker can trigger the insecure storage mechanism and retrieve the credential values in plaintext [1][3].

Impact

Successful exploitation allows an authenticated attacker to recover sensitive credentials managed by the plugin, such as secret texts, passwords, or other confidential strings [2]. These credentials are typically intended for use by build jobs but should not be accessible in plaintext to users. Once recovered, the attacker may reuse these credentials to access other systems or escalate privileges within the Jenkins environment [3].

Mitigation

The vulnerability affects Credentials Binding Plugin version 1.17. Users should upgrade to a patched version (1.18 or later) that properly encrypts or masks credential values [3]. For Red Hat OpenShift Container Platform versions 3.9, 3.10, 3.11, and 4.1, updated packages are available [3].