CVE-2019-10434 — Jenkins LDAP Email Plugin shows plain text password in configuration form

Description

Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

How to fix CVE-2019-10434

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Maven/com.mtvi.plateng.hudson:ldapemail—no fix listed

Is CVE-2019-10434 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.8

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10434
PATCHgithub.com/jenkinsci/ldapemail-plugin
WEBjenkins.io/security/advisory/2019-10-01/#SECURITY-1515
WEBwww.openwall.com/lists/oss-security/2019/10/01/2