Miggo Logo
Miggo Vulnerability Database
CVE-2014-2061

CVE-2014-2061: Jenkin allows attackers to obtain passwords by reading the HTML source code

5

CVSS Score

Basic Information

CVE ID
CVE-2014-2061
GHSA ID
GHSA-rxfv-gm5x-9wqj
EPSS Score
0.43565%
CWE
-
Published
5/17/2022
Updated
3/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.533, < 1.5511.551
org.jenkins-ci.main:jenkins-coremaven< 1.532.21.532.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from PasswordParameterDefinition's getDefaultValue() returning a plaintext password string. The associated Jelly template (config.jelly) used this value in a password field's 'value' attribute, exposing it in HTML source. The patch introduced getDefaultValueAsSecret() to return an encrypted Secret instead, and updated the template to use it. The pre-patch getDefaultValue() was the direct source of plaintext exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** input *ontrol in P*sswor*P*r*m*t*r***inition in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to o*t*in p*sswor*s *y r***in* t** *TML sour** *o**, r*l*t** to t** ****ult v*lu*.

Reasoning

T** vuln*r**ility st*mm** *rom `P*sswor*P*r*m*t*r***inition`'s `**t****ultV*lu*()` r*turnin* * pl*int*xt p*sswor* strin*. T** *sso*i*t** J*lly t*mpl*t* (`*on*i*.j*lly`) us** t*is v*lu* in * p*sswor* *i*l*'s 'v*lu*' *ttri*ut*, *xposin* it in *TML sour