CVE-2019-10318: Jenkins Azure AD Plugin stored the client secret unencrypted
3.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24491%
CWE
Published
5/24/2022
Updated
12/5/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:azure-ad | maven | <= 0.3.3 | 0.3.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from unencrypted storage of client secrets in Jenkins' config.xml
. The commit diff shows the critical change occurred in AzureSecurityRealm.java
's XML marshaling logic, where client secret storage was modified from plaintext (getClientSecret()
) to encrypted (getClientSecretSecret()
). The ConverterImpl.marshal
method was directly responsible for writing this sensitive data to persistent storage without encryption in vulnerable versions.