CVE-2019-10420

Vulnerability

Overview

The Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master [1][2]. This occurs because the plugin does not use Jenkins' built-in credential encryption mechanism when saving authentication tokens or secrets.

Exploitation

Prerequisites

An attacker needs access to the Jenkins master's file system to read the global configuration file where the credentials are stored [2]. No authentication on the Jenkins instance is required beyond file system access; however, the attacker must already have a foothold on the master or be able to read files via another vulnerability.

Impact

Successful exploitation allows an attacker to retrieve plaintext credentials stored by the Assembla Plugin, potentially leading to unauthorized access to the Assembla service and any associated resources [3].

Mitigation

At the time of disclosure, the Jenkins security advisory noted that the Assembla Plugin had unresolved security issues, meaning no patched version was available [1]. Administrators should consider removing or disabling the plugin if it is not essential, and should restrict file system access to the Jenkins master.