Moderate severityNVD Advisory· Published Apr 4, 2019· Updated Aug 4, 2024

CVE-2019-10286

Description

Jenkins DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.openmake:deployhubMaven	< 8.0.14	8.0.14

Affected products

Jenkins Project/Jenkins Deployhub Pluginv5
Range: all versions as of 2019-04-03

Patches

6ad56362087f

Use Secret class for password

https://github.com/jenkinsci/deployhub-pluginSteve TaylorApr 3, 2019via ghsa

commit

15 files changed · +29 −14

release.properties+14 −0 added

@@ -0,0 +1,14 @@
+#release configuration
+#Wed Apr 03 17:15:36 MDT 2019
+scm.tagNameFormat=@{project.artifactId}-@{project.version}
+scm.username=sbtaylor15
+pushChanges=true
+scm.url=scm\:git\:https\://github.com/jenkinsci/deployhub-plugin.git
+preparationGoals=clean install
+scm.password=G0p\!1966
+remoteTagging=true
+projectVersionPolicyId=default
+scm.commentPrefix=[maven-release-plugin] 
+exec.snapshotReleasePluginAllowed=false
+exec.additionalArguments=
+completedPhase=check-poms

src/.DS_Store+0 −0 modified
src/main/.DS_Store+0 −0 modified
src/main/java/.DS_Store+0 −0 modified
src/main/java/org/.DS_Store+0 −0 modified
src/main/java/org/jenkinsci/.DS_Store+0 −0 modified

src/main/java/org/jenkinsci/plugins/deployhub/Common.java+1 −1 modified

@@ -8,10 +8,10 @@
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.URL;
+import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.List;
-import java.net.URLEncoder;
 
 import javax.xml.parsers.DocumentBuilder;
 // for XML parsing

src/main/java/org/jenkinsci/plugins/deployhub/Components.java+3 −2 modified

@@ -1,10 +1,11 @@
 package org.jenkinsci.plugins.deployhub;
 
-import hudson.Extension;
-import java.util.HashMap;
 import java.util.ArrayList;
+import java.util.HashMap;
+
 import org.kohsuke.stapler.bind.JavaScriptMethod;
 
+import hudson.Extension;
 import hudson.model.Action;
 
 @Extension

src/main/java/org/jenkinsci/plugins/deployhub/DeployHub.java+5 −5 modified

@@ -4,7 +4,6 @@
 import java.io.BufferedWriter;
 import java.io.File;
 import java.io.FileOutputStream;
-import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
@@ -44,6 +43,7 @@
 import hudson.tasks.Publisher;
 import hudson.tasks.Recorder;
 import hudson.util.FormValidation;
+import hudson.util.Secret;
 
 public class DeployHub extends Recorder {
 
@@ -72,7 +72,7 @@ public static class DescriptorImpl extends Descriptor<Attribute> {
 	private boolean debug=false;
 
 	private final String username;
-	private final String password;
+	private final Secret password;
 	private boolean deployApplication;
 	private boolean useAdvanced;
 	private boolean findLatestVersion;
@@ -119,7 +119,7 @@ public DeployHub(	String username,
 			List<Attribute> compatts)
 	{
 		this.username = username;
-		this.password = password;
+		this.password = Secret.fromString(password);
 		this.deployApplication = deployApplication;
 		this.useAdvanced = useAdvanced;
 		this.findLatestVersion = findLatestVersion;
@@ -149,7 +149,7 @@ public String getUsername() {
 	}
 
 	public String getPassword() {
-		return password;
+		return Secret.toString(password);
 	}
 
 	public boolean getDeployApplication() {
@@ -327,7 +327,7 @@ public boolean perform(AbstractBuild<?, ?> build, Launcher launcher, BuildListen
 			//
 			String urlstr = server + "/dmadminweb/API/login"
 			+"?user="+URLEncoder.encode(username, "UTF-8")
-			+"&pass="+URLEncoder.encode(password, "UTF-8");
+			+"&pass="+URLEncoder.encode(Secret.toString(password), "UTF-8");
 			//listener.getLogger().println("DEBUG: urlstr="+urlstr);
 			JsonObject res = SendMessage(listener,cm,urlstr);
 			//listener.getLogger().println("JSON Result = "+res.toString());

src/main/java/org/jenkinsci/plugins/deployhub/DeployHubMenu.java+0 −2 modified

@@ -4,8 +4,6 @@
 import hudson.ExtensionPoint;
 import hudson.model.Action;
 import hudson.model.Describable;
-
-
 import jenkins.model.Jenkins;
 
 public abstract class DeployHubMenu implements ExtensionPoint, Action, Describable<DeployHubMenu> {

src/main/java/org/jenkinsci/plugins/deployhub/Root.java+6 −4 modified

@@ -1,12 +1,14 @@
 package org.jenkinsci.plugins.deployhub;
 
+import java.util.List;
+
+import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.StaplerResponse;
+
 import hudson.Extension;
-import hudson.model.RootAction;
 import hudson.model.Action;
+import hudson.model.RootAction;
 import jenkins.model.ModelObjectWithContextMenu;
-import org.kohsuke.stapler.StaplerRequest;
-import org.kohsuke.stapler.StaplerResponse;
-import java.util.List;
 
 /**
  * Entry point to all the UI samples.

src/main/resources/.DS_Store+0 −0 modified
src/main/resources/org/.DS_Store+0 −0 modified
src/main/resources/org/jenkinsci/.DS_Store+0 −0 modified
src/main/resources/org/jenkinsci/plugins/.DS_Store+0 −0 modified

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9m3c-xfhf-53mhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10286ghsaADVISORY
www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
github.com/jenkinsci/deployhub-plugin/commit/6ad56362087f6d34c3532a0962a881cd8a822394ghsaWEB
jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000