CVE-2019-10291
Description
Jenkins Netsparker Cloud Scan Plugin <=1.1.5 stores credentials unencrypted in global configuration file, exposing them to users with file system access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Netsparker Cloud Scan Plugin <=1.1.5 stores credentials unencrypted in global configuration file, exposing them to users with file system access.
Vulnerability
Jenkins Netsparker Cloud Scan Plugin version 1.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master [1][3]. This is a plaintext storage issue where sensitive information such as API tokens or authentication secrets are written without any cryptographic protection.
Exploitation
To exploit this vulnerability, an attacker requires access to the Jenkins master file system. This could be achieved through existing shell access, a separate file read vulnerability, or other means that allow reading the plugin's configuration file. No Jenkins user permissions beyond file system read are needed; the credentials are stored in plaintext and can be viewed directly [1].
Impact
An attacker with file system access can retrieve the stored credentials, potentially compromising the Netsparker Cloud service or other integrated systems. This could lead to unauthorized scanning, data exfiltration, or lateral movement within the CI/CD pipeline.
Mitigation
The Jenkins Security Advisory recommends updating to a newer version of the plugin that encrypts credentials [1]. Users should also restrict file system access to the Jenkins master and follow best practices for credential management.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:netsparker-cloud-scanMaven | < 1.1.6 | 1.1.6 |
Affected products
2- Range: 1.1.5 and older
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m7q8-8g56-m78wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10291ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.