CVE-2019-10430

The NeuVector Vulnerability Scanner Plugin for Jenkins stored credentials unencrypted in its global configuration file on the Jenkins master [1][3]. The plugin failed to encrypt sensitive data such as API tokens or passwords, leaving them in plaintext within the configuration file.

An attacker with access to the Jenkins master file system could read the global configuration file and obtain the stored credentials. No additional authentication is required beyond file system access [1].

Successful exploitation allows an attacker to use the compromised credentials to access the NeuVector scanner instance or other resources that the credentials protect. The impact depends on the privileges associated with the exposed credentials [1].

The vulnerability is fixed in NeuVector Vulnerability Scanner Plugin version 1.6, which encrypts credentials before storage [2]. Users should upgrade to version 1.6 or later to mitigate the risk.