CVE-2019-1003039

Name of the Vulnerable Software and Affected Versions: Jenkins AppDynamics Dashboard Plugin versions 1.0.14 and earlier

Description: The issue allows attackers without permission to obtain passwords configured in jobs. This is due to insufficient protection of credentials in the JenkinsAppDynamics Dashboard Plugin. The plugin stored usernames and passwords unencrypted in jobs' config.xml files on the Jenkins controller, making them accessible to users with Extended Read permission or access to the Jenkins controller file system. Although passwords were masked from view, they were transferred in plain text to users when accessing the job configuration form.

Recommendations: For Jenkins AppDynamics Dashboard Plugin versions 1.0.14 and earlier, save the job configuration to overwrite existing plain text passwords with encrypted ones, as the plugin now stores passwords encrypted in configuration files and no longer transfers them in plain text.