CVE-2019-10294

Vulnerability

Description

The Jenkins Kmap Plugin, as described in the official advisory [1], stores credentials unencrypted in job config.xml files on the Jenkins controller (master). This violates the principle of secure credential storage, as plaintext credentials can be easily retrieved by any entity with access to these configuration files.

Exploitation and

Attack Surface

Users with Extended Read permission on Jenkins jobs can view these credentials through the Jenkins web interface, as they can read the job configuration. Additionally, any user with access to the master file system (e.g., via direct file read or shell access) can read the config.xml files containing the plaintext credentials [2]. The vulnerability requires either an authenticated Jenkins user with specific permissions or system-level file access, making it particularly dangerous in shared or multi-tenant Jenkins environments.

Impact

An attacker who successfully exploits this vulnerability can obtain sensitive credentials stored by the Kmap Plugin. These credentials could be used to access external services integrated with Jenkins, leading to further compromise of connected systems, data exfiltration, or lateral movement within the infrastructure.

Mitigation

As of the advisory in April 2019, users are advised to update the Kmap Plugin to a version that properly encrypts stored credentials. Alternatively, administrators should review access controls and restrict Extended Read permissions to trusted users only. The NVD entry [3] also recommends limiting file system access to prevent unauthorized credential exposure.