Miggo Logo

CVE-2019-10282: Jenkins Klaros-Testmanagement Plugin stores credentials in plain text

4.3

CVSS Score
3.0

Basic Information

EPSS Score
0.24491%
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
hudson.plugins.klaros:klaros-testmanagementmaven<= 2.0.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from handling credentials as plain text Strings rather than Jenkins' Secret type. Key evidence comes from the patch diff showing:

  1. Password field type changed from String to Secret
  2. getPassword() switched from returning raw String to Secret.getEncryptedValue()
  3. Password usage in HTTP queries (invoke method) changed to use Secret.getPlainText()
  4. Constructor and setters modified to use Secret.fromString() These changes confirm the pre-patch versions directly handled cleartext credentials in storage (config.xml) and during HTTP transmission.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Kl*ros-T*stm*n***m*nt Plu*in stor*s *r***nti*ls un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*mm** *rom **n*lin* *r***nti*ls *s pl*in t*xt Strin*s r*t**r t**n J*nkins' S**r*t typ*. K*y *vi**n** *om*s *rom t** p*t** *i** s*owin*: *. P*sswor* *i*l* typ* ***n*** *rom Strin* to S**r*t *. **tP*sswor*() swit**** *rom r*turnin*