5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10367

GHSA ID

GHSA-7c3v-vc3x-x789

EPSS Score

0.05904%

CWE

CWE-532

Published

5/24/2022

Updated

12/6/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10367

CVE-2019-10367: Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10367

GHSA ID

GHSA-7c3v-vc3x-x789

EPSS Score

0.05904%

CWE

CWE-532

Published

5/24/2022

Updated

12/6/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins:configuration-as-code	maven	<= 1.26	1.27

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incomplete secret masking in DataBoundConfigurator's logging. The commit diff shows the fix added Attribute.calculateIfSecret() checks to the logging logic in tryConstructor. The original code (lines 163-164) only masked Secret.class types, while the patched version (lines 164-166) added robust secret detection. This matches the advisory's description of incomplete masking in DataBoundConfigurator logs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*i*ur*tion *s *o** Plu*in lo*s t** ***n**s it *ppli*s to t** J*nkins syst*m lo*. S**r*ts su** *s p*sswor*s s*oul* ** m*sk** (i.*. r*pl**** wit* *st*risks) in t**t lo* to pr*v*nt ***i**nt*l *is*losur*. *on*i*ur*tion *s *o** Plu*in insp**ts t** typ*

Reasoning

T** vuln*r**ility st*mm** *rom in*ompl*t* s**r*t m*skin* in `**t**oun**on*i*ur*tor`'s lo**in*. T** *ommit *i** s*ows t** *ix ***** `*ttri*ut*.**l*ul*t*I*S**r*t()` ****ks to t** lo**in* lo*i* in `try*onstru*tor`. T** ori*in*l *o** (lin*s ***-***) only

5.5

Basic Information

Concerned about an active attack path?

CVE-2019-10367: Insertion of Sensitive Information into Log File in Jenkins Configuration as Code Plugin

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI