Moderate severityNVD Advisory· Published Jul 31, 2019· Updated Aug 4, 2024

CVE-2019-10358

Description

Jenkins Maven Integration Plugin ≤3.3 fails to apply build log decorators to module builds, potentially exposing sensitive build variables in logs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Maven Integration Plugin ≤3.3 fails to apply build log decorators to module builds, potentially exposing sensitive build variables in logs.

Vulnerability

Jenkins Maven Integration Plugin versions 3.3 and earlier do not apply build log decorators to module builds. Build log decorators are used to mask sensitive build variables (e.g., passwords, API tokens) in console output. Because module builds bypass this masking, any sensitive variables set in the build environment may appear in plain text in the module build logs [1][4].

Exploitation

An attacker with access to view build logs (e.g., a user with Job/Read permission) can exploit this by examining the console output of module builds within a Maven job. No additional authentication or network position is required beyond standard Jenkins access. The vulnerability affects all jobs using the Maven Integration Plugin with multi-module projects [1][3].

Impact

Successful exploitation leads to the disclosure of sensitive build variables. These variables often contain credentials, secret keys, or other confidential data used during the build process. An attacker could leverage this information to gain unauthorized access to systems, escalate privileges, or compromise other Jenkins resources [1][4].

Mitigation

The issue is fixed in Maven Integration Plugin version 3.4, released on 2019-07-31 [3]. Users should upgrade to this version or later. No workaround is documented; upgrading is the recommended action [1].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:maven-pluginMaven	< 3.4	3.4

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.main/maven-plugin
Range: < 3.4
Jenkins Project/Pipeline Maven Integration Plugincpe-rescue
Range: 3.3 and earlier

Patches

23e3fe5c4370

[SECURITY-713]

https://github.com/jenkinsci/maven-pluginolivier lamyJul 25, 2019via ghsa

commit

3 files changed · +96 −2

pom.xml+30 −0 modified

@@ -759,6 +759,36 @@ THE SOFTWARE.
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>credentials</artifactId>
+      <version>2.1.19</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>plain-credentials</artifactId>
+      <version>1.4</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>credentials-binding</artifactId>
+      <version>1.16</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci</groupId>
+      <artifactId>symbol-annotation</artifactId>
+      <version>1.7</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci</groupId>
+      <artifactId>annotation-indexer</artifactId>
+      <version>1.12</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/hudson/maven/MavenBuild.java+5 −2 modified

@@ -588,14 +588,17 @@ public class ProxyImpl2 extends ProxyImpl implements MavenBuildProxy2 {
         
         private final SplittableBuildListener listener;
         long startTime;
-        private final OutputStream log;
+        private OutputStream log;
         private final MavenModuleSetBuild parentBuild;
         private boolean blockBuildEvents;
 
-        ProxyImpl2(MavenModuleSetBuild parentBuild,SplittableBuildListener listener) throws FileNotFoundException {
+        ProxyImpl2(MavenModuleSetBuild parentBuild,SplittableBuildListener listener) throws FileNotFoundException, IOException, InterruptedException {
             this.parentBuild = parentBuild;
             this.listener = listener;
             log = new FileOutputStream(getLogFile()); // no buffering so that AJAX clients can see the log live
+            for(BuildWrapper wrapper : project.getParent().getBuildWrappersList()){
+                log = wrapper.decorateLogger( parentBuild, log );
+            }
         }
 
         public void start() {

src/test/java/hudson/maven/Security713Test.java+61 −0 added

@@ -0,0 +1,61 @@
+package hudson.maven;
+
+import com.cloudbees.plugins.credentials.CredentialsProvider;
+import com.cloudbees.plugins.credentials.CredentialsScope;
+import com.cloudbees.plugins.credentials.domains.Domain;
+import hudson.Functions;
+import hudson.tasks.BatchFile;
+import hudson.tasks.Maven;
+import hudson.tasks.Shell;
+import hudson.util.Secret;
+import org.jenkinsci.plugins.credentialsbinding.impl.SecretBuildWrapper;
+import org.jenkinsci.plugins.credentialsbinding.impl.StringBinding;
+import org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.ToolInstallations;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.Assert.assertEquals;
+
+public class Security713Test
+{
+
+    @Rule
+    public MavenJenkinsRule r = new MavenJenkinsRule();
+
+
+    @Issue("SECURITY-713")
+    @Test
+    public void maskingMavenSecrets() throws Exception {
+        Maven.MavenInstallation mavenInstallation = ToolInstallations.configureMaven35();
+        String id = "creds";
+        String pwd = "p4$$word";
+        CredentialsProvider.lookupStores( r.jenkins).iterator() //
+            .next() //
+            .addCredentials( Domain.global(), //
+                             new StringCredentialsImpl( CredentialsScope.GLOBAL, id, "", Secret.fromString( pwd)));
+        MavenModuleSet p = r.createProject( MavenModuleSet.class);
+        p.setMaven( mavenInstallation.getName() );
+        r.jenkins.getWorkspaceFor( p) //
+            .child( "pom.xml") //
+            .write( "<project><modelVersion>4.0.0</modelVersion><groupId>x</groupId><artifactId>y</artifactId><version>0-" + pwd + "</version></project>", null);
+        p.setGoals("help:evaluate -Dexpression=project.version");
+        p.getPostbuilders().add( Functions.isWindows() ? new BatchFile( "echo %PASS%") : new Shell( "echo \"$PASS\""));
+        p.getBuildWrappersList().add(new SecretBuildWrapper( Collections.singletonList( new StringBinding( "PASS", id))));
+        MavenModuleSetBuild b = r.buildAndAssertSuccess( p);
+        r.assertLogNotContains(pwd, b);
+        r.assertLogContains("****", b);
+        Map<MavenModule, List<MavenBuild>> moduleBuilds = b.getModuleBuilds();
+        assertEquals(1, moduleBuilds.size());
+        List<MavenBuild> theBuilds = moduleBuilds.values().iterator().next();
+        assertEquals(1, theBuilds.size());
+        r.assertLogNotContains(pwd, theBuilds.get(0));
+        r.assertLogContains("****", theBuilds.get(0));
+    }
+
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hr96-qfvm-52r6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10358ghsaADVISORY
www.openwall.com/lists/oss-security/2019/07/31/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/maven-plugin/commit/23e3fe5c43705883e4fb9d3ba052dfb1af3f2464ghsaWEB
jenkins.io/security/advisory/2019-07-31/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000