CVE-2024-39459 – The Jenkins Plain Credentials Plugin versions 1... (How to Fix)

Q: What is the severity of CVE-2024-39459?

CVE-2024-39459 has a CVSS score of 4.3 (MEDIUM). The Jenkins Plain Credentials Plugin versions 182.v468b_97b_9dcb_8 and earlier store secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system. This allows users with file system access or Item/Extended Read permission to view these credentials. Organizations using affected plugin versions with secret file credentials are impacted.

📋 TL;DR

The Jenkins Plain Credentials Plugin versions 182.v468b_97b_9dcb_8 and earlier store secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system. This allows users with file system access or Item/Extended Read permission to view these credentials. Organizations using affected plugin versions with secret file credentials are impacted.

💻 Affected Systems

Products:

Jenkins Plain Credentials Plugin

Versions: 182.v468b_97b_9dcb_8 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects secret file credentials stored using the Plain Credentials Plugin, not other credential types.

📦 What is this software?

Plain Credentials by Jenkins

View all CVEs affecting Plain Credentials →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with file system access or Item/Extended Read permission could exfiltrate all stored secret file credentials, leading to credential theft and potential lateral movement.

🟠

Likely Case

Insiders or compromised accounts with appropriate permissions could access and misuse stored credentials for unauthorized actions.

🟢

If Mitigated

With strict access controls and monitoring, impact is limited to authorized users who already have elevated permissions.

🌐 Internet-Facing: LOW - Exploitation requires file system access or Item/Extended Read permission, not typically exposed to internet.

🏢 Internal Only: MEDIUM - Internal users with elevated permissions could exploit this to access credentials they shouldn't see.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing access to Jenkins controller file system or Item/Extended Read permission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 183.v7b_36b_2a_70c or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495

Restart Required: Yes

Instructions:

1. Update Jenkins Plain Credentials Plugin to version 183.v7b_36b_2a_70c or later via Jenkins Plugin Manager. 2. Restart Jenkins controller. 3. Verify plugin version in Installed Plugins list.

🔧 Temporary Workarounds

Restrict File System Access

all

Limit access to Jenkins controller file system to only necessary administrators.

Use OS-level permissions (chmod/chown on Linux, ACLs on Windows) to restrict access to Jenkins home directory

Review and Limit Permissions

all

Audit and reduce Item/Extended Read permissions to minimum necessary users.

Review Jenkins Role-Based Authorization Strategy or Matrix Authorization Strategy configurations

🧯 If You Can't Patch

Migrate secret file credentials to other credential types that are properly encrypted
Implement strict monitoring and auditing of file system access and credential usage

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Plain Credentials Plugin version. If version is 182.v468b_97b_9dcb_8 or earlier, system is vulnerable.

Check Version:

On Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, search for 'Plain Credentials'

Verify Fix Applied:

Verify Plain Credentials Plugin version is 183.v7b_36b_2a_70c or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Jenkins controller file system
Unusual credential usage patterns

Network Indicators:

Unusual outbound connections following file system access

SIEM Query:

source="jenkins" AND (event="File access" OR event="Permission change") AND user NOT IN ["authorized_users"]

📊 Metadata

CVE ID: CVE-2024-39459

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-922

Published: June 26, 2024

Last Updated: October 10, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/06/26/2 Mailing List
https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495 Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/06/26/2 Mailing List
https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39459, you might also want to check these: