CVE-2019-10429
Description
Jenkins GitLab Logo Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins GitLab Logo Plugin stores credentials in plaintext in its global configuration file on the Jenkins master, enabling users with file system access to view them.
Vulnerability
The Jenkins GitLab Logo Plugin, versions prior to 1.0.4, stores credentials in plaintext (unencrypted) within its global configuration file on the Jenkins master. This occurs because the plugin does not use the standard Jenkins credential storage mechanism but instead writes sensitive values directly to the configuration file [1][2].
Exploitation
An attacker who has read access to the Jenkins master's file system can extract the credentials by examining the plugin's configuration file. No authentication is required beyond the ability to access the file system, which could be achieved through other vulnerabilities or administrative privileges [3].
Impact
Successful exploitation allows an attacker to obtain sensitive credentials used by the GitLab Logo Plugin. These credentials could then be used to access GitLab repositories and potentially other systems, depending on the scope and permissions of the stored credentials [1].
Mitigation
The issue is fixed in GitLab Logo Plugin version 1.0.4. Users should upgrade to this version or later to ensure credentials are stored securely using Jenkins' credential encryption mechanisms [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gitlab-logoMaven | < 1.0.4 | 1.0.4 |
Affected products
3- Range: 1.0.3 and earlier
Patches
11a64595353df[SECURITY-1575] Save privateToken to Secret field instead of String field
1 file changed · +5 −4
src/main/java/org/jenkinsci/plugins/gitlablogo/GitlabLogoProperty.java+5 −4 modified@@ -4,6 +4,7 @@ import hudson.model.Job; import hudson.model.JobProperty; import hudson.model.JobPropertyDescriptor; +import hudson.util.Secret; import jenkins.model.Jenkins; import net.sf.json.JSONObject; import org.apache.commons.lang.StringUtils; @@ -64,14 +65,14 @@ public String getRepositoryUrl(){ private Project getProject() { DescriptorImpl descriptor = getDescriptor(); - GitlabApi api = new GitlabApi(descriptor.getEndpointUrl(), descriptor.getPrivateToken()); + GitlabApi api = new GitlabApi(descriptor.getEndpointUrl(), descriptor.getPrivateToken().getPlainText()); return api.getCachedProject(getRepositoryName()); } @Extension public static final class DescriptorImpl extends JobPropertyDescriptor { - private String privateToken; + private Secret privateToken; private String endpointUrl; public DescriptorImpl(){ @@ -100,15 +101,15 @@ public GitlabLogoProperty newInstance(StaplerRequest req, JSONObject formData) t public boolean configure(StaplerRequest req, JSONObject formData) throws FormException { // To persist global configuration information, // set that to properties and call save(). - privateToken = formData.getString("privateToken"); + privateToken = Secret.fromString(formData.getString("privateToken")); endpointUrl = formData.getString("endpointUrl"); // ^Can also use req.bindJSON(this, formData); // (easier when there are many fields; need set* methods for this, like setUseFrench) save(); return super.configure(req, formData); } - public String getPrivateToken() { + public Secret getPrivateToken() { return privateToken; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-22rj-q66g-2jg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10429ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/09/25/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/gitlab-logo-plugin/commit/1a64595353df91b5fcf2d9336fa627e06ef1f8a9ghsaWEB
- jenkins.io/security/advisory/2019-09-25/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.