Jenkins Maven Release Plug-in Plugin stored credentials unencrypted in its global configuration file `org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml` on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Maven Release Plug-in Plugin now stores credentials encrypted.

Affected Packages

Maven org.jenkins-ci.plugins.m2release:m2release

Affected versions: 0 (fixed in 0.15.0)

Related CVEs

CVE-2019-10361

Key Information

GHSA ID

GHSA-vwx8-qpqh-qwm9

Published

May 24, 2022 4:51 PM

Last Modified

October 26, 2023 10:46 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins.m2release:m2release

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.