3.3

CVSS Score

Basic Information

CVE ID

CVE-2019-10291

GHSA ID

GHSA-m7q8-8g56-m78w

EPSS Score

CWE

CWE-522

Published

5/13/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10291

CVE-2019-10291:
Jenkins Netsparker Enterprise Scan Plugin stored credentials in plain text

Jenkins Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system.

Netsparker Enterprise Scan Plugin now stores API tokens encrypted.

(GitHub Advisory)

3.3

CVSS Score

Basic Information

CVE ID

CVE-2019-10291

GHSA ID

GHSA-m7q8-8g56-m78w

EPSS Score

CWE

CWE-522

Published

5/13/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:netsparker-cloud-scan	maven	<= 1.1.5	1.1.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from plaintext storage of API tokens in Jenkins configuration files. Key evidence comes from:

ScanRequestBase's auth header generation directly using the API token string pre-patch
DescriptorImpl.configure() handling unencrypted token storage in global config
NCScanBuilder's setter accepting raw strings before Secret conversion These functions collectively handled credential processing/storage without encryption prior to the security fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins N*tsp*rk*r *nt*rpris* S**n Plu*in stor** *PI tok*ns un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*om.n*tsp*rk*r.*lou*.plu*in.N*S**n*uil**r.xml` on t** J*nkins *ontroll*r. T**s* *PI tok*ns *oul* ** vi*w** *y us*rs wit* ****ss to t** J*nkins *

Reasoning

T** vuln*r**ility st*mm** *rom pl*int*xt stor*** o* *PI tok*ns in J*nkins *on*i*ur*tion *il*s. K*y *vi**n** *om*s *rom: *. S**nR*qu*st**s*'s *ut* *****r **n*r*tion *ir**tly usin* t** *PI tok*n strin* pr*-p*t** *. **s*riptorImpl.*on*i*ur*() **n*lin* u

3.3

Basic Information

Concerned about an active attack path?

CVE-2019-10291: Jenkins Netsparker Enterprise Scan Plugin stored credentials in plain text

3.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-10291:
Jenkins Netsparker Enterprise Scan Plugin stored credentials in plain text

Vulnerability Intelligence
Miggo AI