Low severityNVD Advisory· Published Jul 31, 2019· Updated Aug 4, 2024
CVE-2019-10361
CVE-2019-10361
Description
Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.m2release:m2releaseMaven | < 0.15.0 | 0.15.0 |
Affected products
1- Range: 0.14.0 and earlier
Patches
1a2e7f2bb8264[SECURITY-1435]
5 files changed · +89 −8
pom.xml+17 −1 modified@@ -115,6 +115,12 @@ <version>${maven.test.version}</version> <scope>test</scope> </dependency> + <dependency> + <groupId>org.jenkins-ci</groupId> + <artifactId>test-annotations</artifactId> + <version>1.3</version> + <scope>test</scope> + </dependency> </dependencies> <build> @@ -135,11 +141,21 @@ <artifactId>maven-hpi-plugin</artifactId> <version>1.96</version> <extensions>true</extensions> + <configuration> + <compatibleSinceVersion>0.15</compatibleSinceVersion> + </configuration> </plugin> <plugin> <artifactId>maven-release-plugin</artifactId> <version>2.5</version> - </plugin> + </plugin> + <plugin> + <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <source>1.7</source> + <target>1.7</target> + </configuration> + </plugin> </plugins> </build>
src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapper.java+8 −7 modified@@ -47,6 +47,7 @@ import hudson.tasks.Builder; import hudson.util.FormValidation; import hudson.util.RunList; +import hudson.util.Secret; import java.io.IOException; import java.lang.reflect.Array; @@ -189,7 +190,7 @@ public boolean tearDown(@SuppressWarnings("rawtypes") AbstractBuild bld, BuildLi M2ReleaseArgumentsAction args = bld.getAction(M2ReleaseArgumentsAction.class); if (args.isCloseNexusStage() && !args.isDryRun()) { StageClient client = new StageClient(new URL(getDescriptor().getNexusURL()), getDescriptor() - .getNexusUser(), getDescriptor().getNexusPassword()); + .getNexusUser(), getDescriptor().getNexusPassword().getPlainText()); try { MavenModule rootModule = mmSet.getRootModule(); // TODO grab the version that we have just released... @@ -475,7 +476,7 @@ public static class DescriptorImpl extends BuildWrapperDescriptor { private boolean nexusSupport = false; private String nexusURL = null; private String nexusUser = "deployment"; //$NON-NLS-1$ - private String nexusPassword = "deployment123"; //$NON-NLS-1$ + private Secret nexusPassword = Secret.fromString("deployment123"); //$NON-NLS-1$ @@ -503,7 +504,7 @@ public boolean configure(StaplerRequest staplerRequest, JSONObject json) throws nexusURL = nexusURL + "/"; } nexusUser = Util.fixEmpty(nexusParams.getString("nexusUser")); //$NON-NLS-1$ - nexusPassword = nexusParams.getString("nexusPassword"); //$NON-NLS-1$ + nexusPassword = Secret.fromString(nexusParams.getString("nexusPassword")); //$NON-NLS-1$ } save(); return true; // indicate that everything is good so far @@ -525,7 +526,7 @@ public String getNexusUser() { } - public String getNexusPassword() { + public Secret getNexusPassword() { return nexusPassword; } @@ -539,8 +540,8 @@ public boolean isNexusSupport() { */ public FormValidation doUrlCheck(@QueryParameter String urlValue, final @QueryParameter String usernameValue, - final @QueryParameter String passwordValue) throws IOException, - ServletException { + final @QueryParameter Secret passwordValue) throws IOException, + ServletException { // this method can be used to check if a file exists anywhere in the file system, // so it should be protected. if (!Hudson.getInstance().hasPermission(Hudson.ADMINISTER)) { @@ -564,7 +565,7 @@ public FormValidation doUrlCheck(@QueryParameter String urlValue, if (!(url.getProtocol().equals("http") || url.getProtocol().equals("https"))) { return FormValidation.error("protocol must be http or https"); } - StageClient client = new StageClient(new URL(testURL), usernameValue, passwordValue); + StageClient client = new StageClient(new URL(testURL), usernameValue, passwordValue.getPlainText()); client.checkAuthentication(); } catch (MalformedURLException ex) {
src/test/java/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapperTest.java+55 −0 added@@ -0,0 +1,55 @@ +package org.jvnet.hudson.plugins.m2release; + +import java.io.File; +import java.io.FileInputStream; +import java.nio.charset.StandardCharsets; + +import org.apache.commons.io.IOUtils; +import org.junit.Rule; +import org.junit.Test; +import org.jvnet.hudson.test.Issue; +import org.jvnet.hudson.test.JenkinsRule; +import org.jvnet.hudson.test.recipes.LocalData; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.hamcrest.CoreMatchers.is; +import static org.hamcrest.CoreMatchers.not; +import static org.hamcrest.CoreMatchers.notNullValue; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; + +public class M2ReleaseBuildWrapperTest { + + private static final String PASSWORD = "mysecretpassword"; + @Rule + public JenkinsRule jr = new JenkinsRule(); + + + @Issue("SECURITY-1435") + @Test + @LocalData + public void testMigrationOfNexusPassword() throws Exception { + M2ReleaseBuildWrapper.DescriptorImpl d = + jr.jenkins.getDescriptorByType(M2ReleaseBuildWrapper.DescriptorImpl.class); + if (d == null) { + fail("could not find the descriptor"); + } + assertThat("old password read ok", d.getNexusPassword(), notNullValue()); + assertThat("old password migrated", d.getNexusPassword().getPlainText(), is(PASSWORD)); + + jr.configRoundtrip(); + + assertThat("round tripped password", d.getNexusPassword(), notNullValue()); + assertThat("round tripped password", d.getNexusPassword().getPlainText(), is(PASSWORD)); + + File f = new File(jr.jenkins.root, M2ReleaseBuildWrapper.class.getName() + ".xml"); + FileInputStream fis = new FileInputStream(f); + try { + String content = IOUtils.toString(fis, "UTF-8"); + assertThat("password should be encrypted", content, not(containsString(PASSWORD))); + } finally { + fis.close(); + } + + } +}
src/test/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapperTest/testMigrationOfNexusPassword/config.xml+2 −0 added@@ -0,0 +1,2 @@ +<?xml version='1.0' encoding='UTF-8'?> +<hudson/> \ No newline at end of file
src/test/resources/org/jvnet/hudson/plugins/m2release/M2ReleaseBuildWrapperTest/testMigrationOfNexusPassword/org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml+7 −0 added@@ -0,0 +1,7 @@ +<?xml version='1.0' encoding='UTF-8'?> +<org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper_-DescriptorImpl plugin="m2release@0.14.0"> + <nexusSupport>true</nexusSupport> + <nexusURL>http://localhost:99/nexus/</nexusURL> + <nexusUser>myusername</nexusUser> + <nexusPassword>mysecretpassword</nexusPassword> +</org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper_-DescriptorImpl>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vwx8-qpqh-qwm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10361ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/07/31/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/m2release-plugin/commit/a2e7f2bb82640a9d3641265a19c86ba141a7e79cghsaWEB
- jenkins.io/security/advisory/2019-07-31/ghsax_refsource_CONFIRMWEB
- www.zerodayinitiative.com/advisories/ZDI-19-835/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.