CVE-2019-1003054: Jenkins Jira Issue Updater Plugin stores credentials in plain text
4.3
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
info.bluefloyd.jenkins:jenkins-jira-issue-updater | maven | <= 1.18 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unencrypted credential storage in job config.xml
files. Jenkins plugins typically handle credential storage through: 1) Builder classes that persist job configuration data, and 2) Descriptor/configuration classes that handle global settings. The advisory explicitly states credentials are stored in job config.xml
, indicating the vulnerability exists in the serialization methods responsible for writing credentials to these files. Without encryption mechanisms like Secret
or CredentialsBinding
, any methods that directly write credential strings to persistent storage would be vulnerable. The high confidence comes from the pattern matching with Jenkins plugin vulnerabilities and the explicit advisory description of plaintext storage in config.xml
.