Miggo Logo

CVE-2019-1003060:
Jenkins OWASP ZAP Plugin stores unencrypted credentials

3.3

CVSS Score
3.1

Basic Information

EPSS Score
0.24824%
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:zapmaven<= 1.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted storage of Jira credentials in the global configuration file. Jenkins plugins typically use a Descriptor class (e.g., ZAPBuilder.DescriptorImpl) to manage global settings, which are serialized to XML. The advisory explicitly identifies the file org.jenkinsci.plugins.zap.ZAPBuilder.xml as the vulnerable artifact. Since Jenkins provides a secure Credentials API for encrypted storage, the absence of its usage in these configuration-handling functions directly enables the plaintext exposure. The high confidence stems from the explicit file path/class structure mentioned in advisories and standard Jenkins plugin architecture patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins O**i*i*l OW*SP Z*P Plu*in stor*s Jir* *r***nti*ls un*n*rypt** in its *lo**l *on*i*ur*tion *il* `or*.j*nkins*i.plu*ins.z*p.Z*P*uil**r.xml` on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* Jir* *r***nti*ls in t** *lo**l *on*i*ur*tion *il*. J*nkins plu*ins typi**lly us* * **s*riptor *l*ss (*.*., Z*P*uil**r.**s*riptorImpl) to m*n*** *lo**l s*ttin*s, w*i** *r* s*ri*liz** to XML. T** **vi