Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003053

CVE-2019-1003053: Jenkins HockeyApp Plugin stores credentials in plain text

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-1003053
GHSA ID
GHSA-45fr-w365-f7pm
EPSS Score
0.30633%
CWE
CWE-311
Published
5/13/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:hockeyappmaven<= 1.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted credential storage in job config.xml files. In Jenkins plugin development, credentials should be stored using the Secret class or Credentials API. The HockeyAppRecorder class (or similar configuration class) likely contains getter methods that serialize sensitive fields like API tokens directly to XML without encryption. The high confidence for getApiToken() aligns with credential-handling patterns in Jenkins vulnerabilities, while getAppId() is included due to its association with credential context in HockeyApp integrations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o*k*y*pp Plu*in stor*s *r***nti*ls un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins m*st*r w**r* t**y **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** *r***nti*l stor*** in jo* `*on*i*.xml` *il*s. In J*nkins plu*in **v*lopm*nt, *r***nti*ls s*oul* ** stor** usin* t** `S**r*t` *l*ss or `*r***nti*ls` *PI. T** `*o*k*y*ppR**or**r` *l*ss (or simil*r *on*i*ur*tion