CVE-2019-1003068:
Jenkins VMware vRealize Automation Plugin Missing Encryption of Sensitive Data
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30633%
CWE
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.inkysea.vmware.vra:vmware-vrealize-automation-plugin | maven | <= 1.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unencrypted credential storage in Jenkins job config.xml files. In Jenkins plugin architecture:
- Job configuration persistence is typically handled by
*JobProperty
classes andconfigure
methods - The pattern matches other credential storage vulnerabilities in Jenkins plugins where credentials are serialized without using the Credentials API
- While exact code isn't available, the CVE description explicitly states credentials are stored in job config.xml files, implicating the configuration persistence layer
- The medium confidence on VRABuilder reflects common patterns where build steps handle credential input without proper encryption