Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003054

CVE-2019-1003054: Jenkins Jira Issue Updater Plugin stores credentials in plain text

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003054
GHSA ID
GHSA-p6qr-286g-79rv
EPSS Score
0.30633%
CWE
CWE-311
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
info.bluefloyd.jenkins:jenkins-jira-issue-updatermaven<= 1.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted credential storage in job config.xml files. Jenkins plugins typically handle credential storage through: 1) Builder classes that persist job configuration data, and 2) Descriptor/configuration classes that handle global settings. The advisory explicitly states credentials are stored in job config.xml, indicating the vulnerability exists in the serialization methods responsible for writing credentials to these files. Without encryption mechanisms like Secret or CredentialsBinding, any methods that directly write credential strings to persistent storage would be vulnerable. The high confidence comes from the pattern matching with Jenkins plugin vulnerabilities and the explicit advisory description of plaintext storage in config.xml.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Jir* Issu* Up**t*r Plu*in stor*s *r***nti*ls un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** *r***nti*l stor*** in jo* `*on*i*.xml` *il*s. J*nkins plu*ins typi**lly **n*l* *r***nti*l stor*** t*rou**: *) *uil**r *l*ss*s t**t p*rsist jo* *on*i*ur*tion **t*, *n* *) **s*riptor/*on*i*ur*tion *l*ss*s t**t *