CVE-2019-1003064

Name of the Vulnerable Software and Affected Versions: Jenkins aws-device-farm Plugin (affected versions not specified)

Description: The issue concerns the storage of credentials in an unencrypted manner within the global configuration file of the Jenkins aws-device-farm Plugin. Specifically, credentials are stored in the org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view these credentials.

Recommendations: For the Jenkins aws-device-farm Plugin, consider restricting access to the Jenkins controller file system to minimize the risk of credential exposure. As a temporary workaround, restrict access to the org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml file until a secure method of storing credentials is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.