CVE-2019-10280
Description
Jenkins Assembla Auth Plugin stores credentials unencrypted in global config.xml, allowing users with filesystem access to view them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Assembla Auth Plugin stores credentials unencrypted in global config.xml, allowing users with filesystem access to view them.
Vulnerability
Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master. This affects all versions of the plugin that do not have the fix applied. [1][3]
Exploitation
An attacker with access to the Jenkins master file system can read the config.xml file and obtain the stored credentials. This includes users with administrative access or those who can read Jenkins configuration files through other means. [1][2]
Impact
Successful exploitation leads to exposure of credentials stored by the Assembla Auth Plugin, potentially allowing the attacker to authenticate as the configured user on Assembla. The impact is limited to credential disclosure. [1]
Mitigation
Update the Jenkins Assembla Auth Plugin to the latest version as recommended in the Jenkins security advisory dated 2019-04-03. There is no known workaround. [1][3]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:assembla-authMaven | < 1.13 | 1.13 |
Affected products
2- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-wmq3-24jm-m8xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10280ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.