CVE-2019-10422

Name of the Vulnerable Software and Affected Versions Jenkins Call Remote Job Plugin (affected versions not specified)

Description The issue concerns the storage of credentials in an unencrypted manner within job config.xml files on the Jenkins master or controller. This allows users with Extended Read permission or access to the master file system to view these credentials. Specifically, the Call Remote Job Plugin stores a password unencrypted in job config.xml files, which can be accessed by users with the aforementioned permissions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the Jenkins master file system and limiting Extended Read permissions to minimize the risk of exploitation. Avoid using the Call Remote Job Plugin until the issue is resolved.