CVE-2019-10283: Jenkins mabl Plugin stores credentials in plain text
4.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24491%
CWE
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.mabl.integration.jenkins:mabl-integration | maven | <= 0.0.12 | 0.0.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on plaintext credential storage in job config.xml files. In Jenkins plugin architecture:
- Builders/Publishers serialize their configuration via XStream
- Getter methods directly influence XML output
- The advisory specifically mentions job config.xml exposure
While the exact patch isn't visible, the pattern matches Jenkins credential handling vulnerabilities:
- Plaintext fields in Describable classes
- Missing @DataBoundConstructor validation
- Absence of Secret class wrapping
Top candidates are the configuration object's getters/setters that handle API keys. The execution class might also expose credentials during runtime operations.