VYPR
← All advisories
Low severityNVD Advisory· Published Apr 30, 2019· Updated Aug 4, 2024

CVE-2019-10318

CVE-2019-10318

Description

Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Azure AD Plugin ≤0.3.3 stores the client secret unencrypted in config.xml, exposing it to users with file system access.

Vulnerability

Description

The Jenkins Azure AD Plugin (formerly Microsoft Entra ID Plugin) versions 0.3.3 and earlier stores the client secret in plaintext within the global config.xml configuration file on the Jenkins master [1][2]. This occurs because the plugin does not encrypt the secret before persisting it, violating security best practices for credential storage.

Exploitation

An attacker who already has access to the Jenkins master file system—for example, a user with read permissions on the Jenkins home directory or through another vulnerability—can retrieve the client secret by reading the config.xml file [1][2]. No additional authentication or network position is required beyond file system access.

Impact

With the exposed client secret, an attacker can authenticate to Azure AD as the Jenkins application, potentially gaining unauthorized access to Azure AD resources, impersonating the application, or performing actions on behalf of the Jenkins instance [1][2]. This compromises the confidentiality and integrity of the Azure AD integration.

Mitigation

The vulnerability is fixed in Azure AD Plugin version 0.3.4, which encrypts the client secret before storing it [1][3]. Users should upgrade to this version or later. No workaround is available; upgrading is the only remediation.

References
  1. Jenkins Security Advisory 2019-04-30
  2. NVD - CVE-2019-10318
  3. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:azure-adMaven
< 0.3.40.3.4

Affected products

3

Patches

1
70983d1a6528

[SECURITY-1390]

https://github.com/jenkinsci/azure-ad-pluginJie ShenApr 29, 2019via ghsa
commit
3 files changed · +74 1
  • pom.xml+6 0 modified
    @@ -132,6 +132,12 @@
             <version>4.5.7</version>
         </dependency>
 
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.12</version>
+            <scope>test</scope>
+        </dependency>
         <!--fix the requireUpperBounds errors-->
         <dependency>
             <groupId>commons-codec</groupId>
  • src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java+1 1 modified
    @@ -305,7 +305,7 @@ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingC
             writer.endNode();
 
             writer.startNode("clientsecret");
-            writer.setValue(realm.getClientSecret());
+            writer.setValue(realm.getClientSecretSecret());
             writer.endNode();
 
             writer.startNode("tenant");
  • src/test/java/com/microsoft/jenkins/azuread/AzureSecurityRealmTest.java+67 0 modified
    @@ -1,4 +1,71 @@
 package com.microsoft.jenkins.azuread;
 
+import com.thoughtworks.xstream.io.binary.BinaryStreamReader;
+import com.thoughtworks.xstream.io.binary.BinaryStreamWriter;
+import org.apache.commons.io.output.ByteArrayOutputStream;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+
 public class AzureSecurityRealmTest {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Before
+    public void init() throws Exception {
+        j.recipe();
+    }
+
+    @Test
+    public void testConverter() throws InterruptedException, ExecutionException, IOException {
+        BinaryStreamWriter writer = null;
+        BinaryStreamReader reader = null;
+        try {
+            AzureSecurityRealm securityRealm = new AzureSecurityRealm("tenant", "clientId", "secret");
+            AzureSecurityRealm.ConverterImpl converter = new AzureSecurityRealm.ConverterImpl();
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            writer = new BinaryStreamWriter(outputStream);
+            writer.startNode("parentNode");
+            converter.marshal(securityRealm, writer, null);
+            writer.endNode();
+            byte[] bytes = outputStream.toByteArray();
+            reader = new BinaryStreamReader(new ByteArrayInputStream(bytes));
+            AzureSecurityRealm result = (AzureSecurityRealm) converter.unmarshal(reader, null);
+
+            Assert.assertEquals(securityRealm.getTenant(), result.getTenant());
+            Assert.assertEquals(securityRealm.getClientId(), result.getClientId());
+            Assert.assertEquals(securityRealm.getClientSecret(), result.getClientSecret());
+        } finally {
+            if (writer != null) {
+                writer.close();
+            }
+            if (reader != null) {
+                reader.close();
+            }
+        }
+    }
+
+    @Test
+    public void testSavedConfig() throws InterruptedException, ExecutionException, IOException {
+        BinaryStreamWriter writer = null;
+        try {
+            String secretString = "thisIsSpecialSecret";
+            AzureSecurityRealm securityRealm = new AzureSecurityRealm("tenant", "clientId", secretString);
+            AzureSecurityRealm.ConverterImpl converter = new AzureSecurityRealm.ConverterImpl();
+            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+            writer = new BinaryStreamWriter(outputStream);
+            converter.marshal(securityRealm, writer, null);
+            Assert.assertFalse(outputStream.toString().contains(secretString));
+        } finally {
+            if (writer != null) {
+                writer.close();
+            }
+        }
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.