CVE-2019-10298
Description
Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Koji Plugin stores credentials unencrypted in its global configuration file, allowing users with file system access to view them.
Vulnerability
Jenkins Koji Plugin stores credentials unencrypted in its global configuration file on the Jenkins master. Users with access to the master file system can view these credentials [1]. The vulnerability affects all versions of the plugin up to and including the latest version at the time of disclosure.
Exploitation
An attacker requires access to the Jenkins master file system, either through direct shell access or by exploiting another vulnerability that provides file read capabilities. No additional authentication is needed beyond file system access. The attacker can read the configuration file containing the credentials.
Impact
Successful exploitation results in the disclosure of stored credentials, such as API tokens or passwords, which can be used to gain unauthorized access to external services configured with the plugin [2].
Mitigation
As of the advisory on 2019-04-03, there is no fix provided for the Koji Plugin. Users should ensure that only trusted users have file system access to the Jenkins master and consider using Jenkins' credential encryption features if available [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:kojiMaven | <= 0.3 | — |
Affected products
3- Range: all versions as of 2019-04-03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-x464-r7f4-gj3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10298ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/12/2ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/107790mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-03/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.