3.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1999031

GHSA ID

GHSA-3hw6-gc8h-9243

EPSS Score

0.22669%

CWE

CWE-200

Published

5/14/2022

Updated

12/18/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1999031

CVE-2018-1999031: Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key

An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. Additionally, the API key was not masked from view using a password form field. As of version 1.15, the plugin stores the API Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

(GitHub Advisory)

3.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1999031

GHSA ID

GHSA-3hw6-gc8h-9243

EPSS Score

0.22669%

CWE

CWE-200

Published

5/14/2022

Updated

12/18/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:meliora-testlab	maven	<= 1.14	1.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from handling API keys in plain text. Key evidence includes:

The 'apiKey' field was changed from String to Secret type in the code
Configuration Jelly files were updated from textbox to password fields
The commit message explicitly mentions encrypting API keys in configuration
The perform() method was modified to use Secret.getPlainText() for decryption These functions directly handled sensitive data storage/retrieval without encryption in <=1.14 versions, matching the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xposur* o* s*nsitiv* in*orm*tion vuln*r**ility *xists in J*nkins m*lior*-t*stl** Plu*in *.** *n* **rli*r in T*stl**Noti*i*r.j*v* t**t *llows *tt**k*rs wit* *il* syst*m ****ss to t** J*nkins m*st*r to o*t*in t** *PI k*y stor** in t*is plu*in's *on

Reasoning

T** vuln*r**ility st*ms *rom **n*lin* *PI k*ys in pl*in t*xt. K*y *vi**n** in*lu**s: *. T** '*piK*y' *i*l* w*s ***n*** *rom Strin* to S**r*t typ* in t** *o** *. *on*i*ur*tion J*lly *il*s w*r* up**t** *rom t*xt*ox to p*sswor* *i*l*s *. T** *ommit m*ss

3.3

Basic Information

Concerned about an active attack path?

CVE-2018-1999031: Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key

3.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI