Jenkins AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.

AppDynamics Dashboard Plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Affected Packages

Maven org.jenkins-ci.plugins:appdynamics-dashboard

Affected versions: 0 (fixed in 1.0.15)

Related CVEs

CVE-2019-1003039

Key Information

GHSA ID

GHSA-mmqx-g78c-hvfj

Published

May 13, 2022 1:15 AM

Last Modified

October 25, 2023 11:01 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:appdynamics-dashboard

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 1, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.