Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job `config.xml` files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Git Changelog Plugin now stores these passwords encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Affected Packages

Maven de.wellnerbou.jenkins:git-changelog

Affected versions: 0 (fixed in 2.18)

Related CVEs

CVE-2019-10414

Key Information

GHSA ID

GHSA-h27g-72mh-9m33

Published

May 24, 2022 4:56 PM

Last Modified

February 23, 2023 8:32 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

de.wellnerbou.jenkins:git-changelog

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.