CVE-2019-10407

Vulnerability

Overview

The Jenkins Project Inheritance Plugin, versions 2.0.0 and earlier, has a vulnerability where it displays a list of environment variables passed to a build without masking sensitive variables contributed by the Mask Passwords Plugin[1][2]. The root cause is that the plugin does not properly integrate with the Mask Passwords Plugin's masking functionality, allowing sensitive values to be exposed when the environment variables list is shown.

Exploitation

An attacker with access to view build output or logs could exploit this by observing the environment variables list displayed during a build. No special privileges beyond being able to view a build's execution details are needed; the exposure occurs automatically whenever a build is run and the environment variables are listed[1][3]. The vulnerability does not require any user interaction beyond the normal build process.

Impact

Successful exploitation leads to the disclosure of sensitive information such as passwords, API keys, or other secrets that were intended to be masked by the Mask Passwords Plugin. This could enable an attacker to gain unauthorized access to systems or services using the exposed credentials.

Mitigation

The vulnerability is fixed in Project Inheritance Plugin version 19.08.02, released on September 25, 2019[1][2]. Users should upgrade to this version or later to prevent sensitive environment variables from being exposed.