Miggo Logo
Miggo Vulnerability Database
CVE-2019-10348

CVE-2019-10348: Jenkins Gogs Plugin stored credentials in plain text

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-10348
GHSA ID
GHSA-q736-rgcp-q443
EPSS Score
0.26188%
CWE
CWE-312
Published
5/24/2022
Updated
12/5/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:gogs-webhookmaven<= 1.0.141.0.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerable functions are identified based on the changes made to handle the gogsSecret securely. The original handling of gogsSecret as a plain String in GogsProjectProperty was insecure, and the patch updated this to use Jenkins' Secret class for secure handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o*s Plu*in stor** *r***nti*ls un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r. T**s* *r***nti*ls *oul* ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** J*nkins *ontroll*r *il* syst*m. *o*s Plu*in now stor*s

Reasoning

T** vuln*r**l* *un*tions *r* i**nti*i** **s** on t** ***n**s m*** to **n*l* t** `*o*sS**r*t` s**ur*ly. T** ori*in*l **n*lin* o* `*o*sS**r*t` *s * pl*in Strin* in `*o*sProj**tProp*rty` w*s ins**ur*, *n* t** p*t** up**t** t*is to us* `J*nkins' S**r*t`