CVE-2019-10378
Description
Jenkins TestLink Plugin stores credentials unencrypted in global configuration, exposing them to users with file system access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins TestLink Plugin stores credentials unencrypted in global configuration, exposing them to users with file system access.
Vulnerability
Overview The Jenkins TestLink Plugin, versions 3.16 and earlier, stores credentials unencrypted in its global configuration file on the Jenkins master [1][2]. This plaintext storage violates security best practices for credential management.
Attack
Surface and Prerequisites An attacker with access to the Jenkins master file system can view the stored credentials. This includes users who have read permissions to the configuration file, or attackers who have achieved file read access through other vulnerabilities [1][2].
Impact
Successful exploitation allows an attacker to obtain cleartext credentials configured for the TestLink plugin. These credentials can then be used to gain unauthorized access to the associated TestLink instance or other systems where the same credentials are reused [1][3].
Mitigation
As of the advisory date (2019-08-07), the vendor had not released a fix for this vulnerability in the TestLink Plugin [1][2]. Administrators should consider removing or disabling the plugin if not essential, and monitor for plugin updates. The vulnerability is listed with no resolution in the Jenkins security advisory [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:testlinkMaven | <= 3.16 | — |
Affected products
2- Range: 3.16 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-qcfr-65hf-f98xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10378ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/08/07/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-08-07/ghsax_refsource_CONFIRMWEB
- www.zerodayinitiative.com/advisories/ZDI-19-839/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.