CVE-2019-1003060:
Jenkins OWASP ZAP Plugin stores unencrypted credentials
3.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24824%
CWE
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:zap | maven | <= 1.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unencrypted storage of Jira credentials in the global configuration file. Jenkins plugins typically use a Descriptor class (e.g., ZAPBuilder.DescriptorImpl) to manage global settings, which are serialized to XML. The advisory explicitly identifies the file org.jenkinsci.plugins.zap.ZAPBuilder.xml
as the vulnerable artifact. Since Jenkins provides a secure Credentials API for encrypted storage, the absence of its usage in these configuration-handling functions directly enables the plaintext exposure. The high confidence stems from the explicit file path/class structure mentioned in advisories and standard Jenkins plugin architecture patterns.