CVE-2019-10283
Description
Jenkins mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins mabl Plugin stores credentials unencrypted in job config.xml files, allowing users with Extended Read permission or file system access to view them.
Vulnerability
Jenkins mabl Plugin, in versions prior to the fix announced in 2019-04-03, stores user credentials unencrypted in job config.xml files on the Jenkins controller. This affects all jobs using the plugin. The credentials can be viewed by any user who has Extended Read permission on the job, or who has access to the file system of the Jenkins master. The issue is described in the Jenkins Security Advisory [1] and NVD entry [3].
Exploitation
An attacker needs either (a) a Jenkins account with Extended Read permission for a job that uses the mabl plugin, or (b) direct file system access to the Jenkins master where job config.xml files are stored. No other special privileges are required. The attacker can read the credential value directly from the config.xml file without triggering any special code path.
Impact
If exploited, an attacker can obtain the unencrypted credentials stored by the mabl plugin. The impact is a confidence/integrity loss because the credentials may be used to access external systems or services configured in the plugin. The exact privilege level depends on the permissions associated with the compromised credential.
Mitigation
Jenkins released a fix for this vulnerability on 2019-04-03 as part of a security advisory [1]. Users should update the mabl Plugin to the latest version. There is no known workaround if the plugin cannot be updated. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.mabl.integration.jenkins:mabl-integrationMaven | < 0.0.13 | 0.0.13 |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-hmf2-prm5-rvxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10283ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.