Miggo Logo
Miggo Vulnerability Database
CVE-2019-10379

CVE-2019-10379: Jenkins Google Cloud Messaging Notification Plugin stores credentials in plain text

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10379
GHSA ID
GHSA-c3r5-vxj6-62mc
EPSS Score
0.26474%
CWE
CWE-522
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:gcm-notificationmaven<= 1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted credential storage in the global configuration file. Jenkins plugins typically use XStream serialization for configuration persistence. The GcmPublisher class's configure method (or related persistence mechanism) would be responsible for writing configuration data to disk. Since the advisory explicitly identifies the vulnerable file (GcmPublisher.xml) and lack of encryption, the function handling configuration serialization is the root cause. The high confidence comes from the direct match between the documented vulnerable file pattern and standard Jenkins plugin architecture for configuration handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *oo*l* *lou* M*ss**in* Noti*i**tion Plu*in *.* *n* **rli*r stor*s *r***nti*ls un*n*rypt** in its *lo**l *on*i*ur*tion *il* on t** J*nkins m*st*r w**r* t**y **n ** vi*w** *y us*rs wit* ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** *r***nti*l stor*** in t** *lo**l *on*i*ur*tion *il*. J*nkins plu*ins typi**lly us* XStr**m s*ri*liz*tion *or *on*i*ur*tion p*rsist*n**. T** `**mPu*lis**r` *l*ss's `*on*i*ur*` m*t*o* (or r*l*t** p*rsist*n** m**