CVE-2019-1003038

Name of the Vulnerable Software and Affected Versions: Jenkins Repository Connector Plugin versions 1.2.4 and earlier

Description: The issue allows an attacker with local file system access or control of a Jenkins administrator's web browser to retrieve the password stored in the plugin configuration. This is due to insufficient protection of credentials in the plugin. The plugin stored the username and password unencrypted in its global configuration file on the Jenkins controller, allowing users with access to the Jenkins controller file system to view the password.

Recommendations: For Jenkins Repository Connector Plugin versions 1.2.4 and earlier, update the plugin to a version that stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation.