CVE-2019-10443
Description
Jenkins iceScrum Plugin 1.1.4 and earlier stores credentials in plaintext in job config.xml files, allowing users with Extended Read or file system access to obtain them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins iceScrum Plugin 1.1.4 and earlier stores credentials in plaintext in job config.xml files, allowing users with Extended Read or file system access to obtain them.
Vulnerability
Description
The Jenkins iceScrum Plugin, versions 1.1.4 and earlier, stores credentials in plaintext within job config.xml files on the Jenkins master [1][3]. This violates security best practices for credential handling.
Exploitation
An attacker with Extended Read permission (or direct access to the Jenkins master file system) can read these config.xml files to obtain the plaintext credentials [4]. No authentication is required beyond the initial access, making exploitation straightforward.
Impact
Successful exploitation leads to disclosure of credentials stored by the iceScrum plugin. These credentials could be used to access other systems or services, potentially escalating privileges or enabling further attacks within the CI/CD pipeline [1].
Mitigation
Jenkins has released version 1.1.6 of the iceScrum Plugin, which encrypts credential storage [1]. Users are strongly advised to update immediately. As a workaround, restrict Extended Read permissions and limit file system access to the Jenkins master.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:icescrumMaven | < 1.1.5 | 1.1.5 |
Affected products
2- Range: 1.1.4 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-362p-56c9-q273ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10443ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/10/16/6ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-10-16/ghsax_refsource_CONFIRMWEB
- www.zerodayinitiative.com/advisories/ZDI-19-933ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-19-933/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.