Moderate severityNVD Advisory· Published Dec 17, 2019· Updated Aug 5, 2024

CVE-2019-16557

Description

Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.redgate.plugins.redgatesqlci:redgate-sql-ciMaven	< 2.0.4	2.0.4

Affected products

Jenkins Project/Jenkins Redgate SQL Change Automation Pluginv5
Range: unspecified

Patches

18525ee6f01a

[SECURITY-1598]

https://github.com/jenkinsci/redgate-sql-ci-pluginDiogo DuarteDec 12, 2019via ghsa

commit

4 files changed · +31 −15

src/main/java/redgatesqlci/BuildBuilder.java+9 −4 modified

@@ -10,6 +10,7 @@
 import hudson.tasks.Builder;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
+import hudson.util.Secret;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -80,9 +81,13 @@ public String getUsername() {
         return username;
     }
 
-    private final String password;
+    private Secret password;
 
-    public String getPassword() {
+    public void setPassword(Secret password) { 
+        this.password = password;
+    }
+
+    public Secret getPassword() {
         return password;
     }
 
@@ -170,7 +175,7 @@ public BuildBuilder(
             serverName = "";
             serverAuth = null;
             username = "";
-            password = "";
+            password = Secret.fromString("");
         }
 
         this.options = options;
@@ -245,7 +250,7 @@ public boolean perform(final AbstractBuild build, final Launcher launcher, final
                 params.add("-temporaryDatabaseUserName");
                 params.add(getUsername());
                 params.add("-temporaryDatabasePassword");
-                params.add(getPassword());
+                params.add(getPassword().getPlainText());
             }
         }

src/main/java/redgatesqlci/ServerAuth.java+4 −3 modified

@@ -1,11 +1,12 @@
 package redgatesqlci;
 
+import hudson.util.Secret;
 import org.kohsuke.stapler.DataBoundConstructor;
 
 public class ServerAuth {
     private final String value;
     private final String username;
-    private final String password;
+    private final Secret password;
 
     public String getvalue() {
         return value;
@@ -15,12 +16,12 @@ public String getUsername() {
         return username;
     }
 
-    public String getPassword() {
+    public Secret getPassword() {
         return password;
     }
 
     @DataBoundConstructor
-    public ServerAuth(final String value, final String username, final String password) {
+    public ServerAuth(final String value, final String username, final Secret password) {
         this.value = value;
         this.username = username;
         this.password = password;

src/main/java/redgatesqlci/SyncBuilder.java+9 −4 modified

@@ -8,6 +8,7 @@
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Builder;
 import hudson.util.FormValidation;
+import hudson.util.Secret;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -49,9 +50,13 @@ public String getUsername() {
         return username;
     }
 
-    private final String password;
-
-    public String getPassword() {
+    private Secret password;
+    
+    public void setPassword(Secret password) { 
+        this.password = password;
+    }
+    
+    public Secret getPassword() {
         return password;
     }
 
@@ -151,7 +156,7 @@ public boolean perform(final AbstractBuild build, final Launcher launcher, final
             params.add("-databaseUserName");
             params.add(getUsername());
             params.add("-databasePassword");
-            params.add(getPassword());
+            params.add(getPassword().getPlainText());
         }
 
         if (!options.isEmpty()) {

src/main/java/redgatesqlci/TestBuilder.java+9 −4 modified

@@ -9,6 +9,7 @@
 import hudson.tasks.BuildStepDescriptor;
 import hudson.tasks.Builder;
 import hudson.util.FormValidation;
+import hudson.util.Secret;
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
@@ -71,9 +72,13 @@ public String getUsername() {
         return username;
     }
 
-    private final String password;
+    private Secret password;
 
-    public String getPassword() {
+    public void setPassword(Secret password) { 
+        this.password = password;
+    }
+
+    public Secret getPassword() {
         return password;
     }
 
@@ -172,7 +177,7 @@ public TestBuilder(
             serverName = "";
             serverAuth = null;
             username = "";
-            password = "";
+            password = Secret.fromString("");
         }
 
         if ("runOnlyTest".equals(this.runTestSet)) {
@@ -223,7 +228,7 @@ public boolean perform(final AbstractBuild build, final Launcher launcher, final
                 params.add("-temporaryDatabaseUserName");
                 params.add(getUsername());
                 params.add("-temporaryDatabasePassword");
-                params.add(getPassword());
+                params.add(getPassword().getPlainText());
             }
         }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9hpq-528p-48j3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-16557ghsaADVISORY
www.openwall.com/lists/oss-security/2019/12/17/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/redgate-sql-ci-plugin/commit/18525ee6f01a5bc36040d40f1ff63702ce7280acghsaWEB
jenkins.io/security/advisory/2019-12-17/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000