CVE-2019-16556
Description
Jenkins Rundeck Plugin stores credentials unencrypted in configuration files, allowing users with Extended Read or file system access to view them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Rundeck Plugin stores credentials unencrypted in configuration files, allowing users with Extended Read or file system access to view them.
Root Cause: The Jenkins Rundeck Plugin prior to version 3.6.6 stores credentials in plaintext within its global configuration file and in job config.xml files on the Jenkins master [1][3]. This violates the principle of secure credential storage.
Exploitation: An attacker who has either the Extended Read permission (which allows viewing job configurations) or direct access to the Jenkins master file system can read these unencrypted credentials [1][3]. No additional authentication is required beyond the existing permissions.
Impact: Successful exploitation exposes any credentials configured for use with the Rundeck plugin, such as API tokens or passwords, potentially allowing the attacker to authenticate to external systems managed by Rundeck [1][2].
Mitigation: The issue is fixed in Rundeck Plugin version 3.6.6 [2]. Users should upgrade immediately. As a workaround, restrict Extended Read permissions and limit file system access to trusted administrators only [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rundeckMaven | < 3.6.6 | 3.6.6 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qh3m-c6hw-5hmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16556ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/12/17/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-12-17/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.