Miggo Logo
Miggo Vulnerability Database
CVE-2019-10297

CVE-2019-10297: Jenkins Sametime Plugin stores credentials in plain text

3.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-10297
GHSA ID
GHSA-jvr5-r663-qxgw
EPSS Score
0.24491%
CWE
CWE-522
Published
5/13/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:sametimemaven<= 0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the plugin storing credentials in plain text in its global configuration file. Jenkins plugins typically use XStream for serialization/deserialization of configuration data. The SametimePublisher class (evident from the XML filename) would contain methods like configure() for saving settings and readResolve() for loading them. Since credentials are stored unencrypted, these methods fail to use Jenkins' Secret class or encryption mechanisms when handling sensitive data. The high confidence comes from the direct mapping between the disclosed vulnerable file pattern and standard Jenkins plugin implementation practices for configuration handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S*m*tim* Plu*in stor*s *r***nti*ls un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*u*son.plu*ins.s*m*tim*.im.tr*nsport.S*m*tim*Pu*lis**r.xml` on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontro

Reasoning

T** vuln*r**ility st*ms *rom t** plu*in storin* *r***nti*ls in pl*in t*xt in its *lo**l `*on*i*ur*tion` *il*. J*nkins plu*ins typi**lly us* `XStr**m` *or s*ri*liz*tion/**s*ri*liz*tion o* `*on*i*ur*tion` **t*. T** `S*m*tim*Pu*lis**r` *l*ss (*vi**nt *r