Miggo Logo
Miggo Vulnerability Database
CVE-2019-10288

CVE-2019-10288:
Jenkins Jabber Server Plugin stores credentials in plain text

3.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-10288
GHSA ID
GHSA-cc7j-xx7q-fr34
EPSS Score
0.24491%
CWE
CWE-522
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
de.e-nexus:jabber-server-pluginmaven<= 1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted credential storage in JabberBuilder.xml. Jenkins plugins typically handle configuration through Descriptor classes and XStream serialization. The saveConfiguration method (or equivalent persistence mechanism) would be directly writing credentials to disk without encryption. The DescriptorImpl.configure method would process form submissions containing credentials but fail to use Jenkins' credential encryption APIs. Confidence is high for the persistence mechanism due to the specific file path in advisories, and medium for the descriptor method due to typical Jenkins plugin patterns without seeing actual code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins J****r S*rv*r Plu*in stor*s *r***nti*ls un*n*rypt** in its *lo**l *on*i*ur*tion *il* `**.*_n*xus.j****r.J****r*uil**r.xml` on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** *r***nti*l stor*** in `J****r*uil**r.xml`. J*nkins plu*ins typi**lly **n*l* *on*i*ur*tion t*rou** **s*riptor *l*ss*s *n* XStr**m s*ri*liz*tion. T** `s*v**on*i*ur*tion` m*t*o* (or *quiv*l*nt p*rsist*n** m****ni