CVE-2019-10282: Jenkins Klaros-Testmanagement Plugin stores credentials in plain text
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24491%
CWE
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
hudson.plugins.klaros:klaros-testmanagement | maven | <= 2.0.0 | 2.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from handling credentials as plain text Strings rather than Jenkins' Secret type. Key evidence comes from the patch diff showing:
- Password field type changed from String to Secret
- getPassword() switched from returning raw String to Secret.getEncryptedValue()
- Password usage in HTTP queries (invoke method) changed to use Secret.getPlainText()
- Constructor and setters modified to use Secret.fromString() These changes confirm the pre-patch versions directly handled cleartext credentials in storage (config.xml) and during HTTP transmission.