CVE-2019-10358 — Maven Integration Plugin did not mask sensitive values in module build logs

Description

Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log.

How to fix CVE-2019-10358

To remediate CVE-2019-10358, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:maven-plugin—upgrade to 3.4 or later

Is CVE-2019-10358 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10358
PATCHgithub.com/jenkinsci/maven-plugin
WEBgithub.com/jenkinsci/maven-plugin/commit/23e3fe5c43705883e4fb9d3ba052dfb1af3f2464
WEBjenkins.io/security/advisory/2019-07-31/#SECURITY-713