CVE-2019-1010241: Jenkins Credentials Binding Plugin Stores Passwords in a Recoverable Format

May 24, 2022 (updated March 12, 2025)

Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.

References

docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA/edit?usp=sharing
github.com/advisories/GHSA-j7gw-mwfg-vqf4
github.com/jenkinsci/credentials-binding-plugin
nvd.nist.gov/vuln/detail/CVE-2019-1010241
web.archive.org/web/20200227030005/https://www.securityfocus.com/bid/109320

Detect and mitigate CVE-2019-1010241 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →