CVE-2019-10426

Vulnerability

Description

The Jenkins Gem Publisher Plugin, which allows publishing Ruby gems to rubygems.org, stores credentials unencrypted in its global configuration file on the Jenkins master. This flaw arises because the plugin does not encrypt sensitive data before writing it to disk, leaving it readable as plaintext [1][2].

Exploitation

An attacker with access to the Jenkins master file system can read the global configuration file and retrieve the stored credentials. No special authentication or network position is required beyond file system access, which may be obtained through other vulnerabilities or legitimate user accounts with appropriate permissions [1][2].

Impact

Successful exploitation allows an attacker to obtain the plaintext credentials configured in the plugin, potentially enabling unauthorized access to external services (e.g., rubygems.org) or further compromise of the Jenkins environment [1][2].

Mitigation

As of the advisory publication date (2019-09-25), the Gem Publisher Plugin remains unresolved, with no patched version available [2]. Users are advised to restrict file system access to the Jenkins master, avoid storing sensitive credentials in this plugin, or consider alternative plugins that properly encrypt secrets [1][2].