CVE-2019-10453

Vulnerability

Description The Jenkins Delphix Plugin stores credentials in plaintext within its global configuration file on the Jenkins master. This design flaw results in the exposure of sensitive information to any user who has access to the master's file system [1]. The credentials are written unencrypted, violating security best practices for secret storage.

Attack

Vector and Prerequisites An attacker with access to the Jenkins master file system—either through direct shell access, a separate vulnerability, or via a user account with file read permissions—can retrieve the stored credentials from the configuration file. No special authentication or network position is required beyond file system access on the master node [1]. The Jenkins Security Advisory categorizes this as a medium-severity issue due to the prerequisite of file system access [1][2].

Impact

Successful exploitation enables an attacker to obtain plaintext credentials used to connect to the Delphix DevOps Data Platform. With these credentials, the attacker could potentially access and manipulate Delphix-managed data environments, leading to unauthorized data exposure, disruption of data operations, or further compromise of connected systems.

Mitigation

As of the advisory date, no patch had been released for the Delphix Plugin; users are advised to restrict file system access to the Jenkins master and monitor official plugin channels for updates [2]. The plugin's newer versions (v3.0.0+) use the Data Control Tower APIs and may require separate configuration review [3].