Miggo Logo
Miggo Vulnerability Database
CVE-2019-10419

CVE-2019-10419:
Jenkins vFabric Application Director Plugin Insufficiently Protected Credentials

3.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-10419
GHSA ID
GHSA-hx82-2ggv-vwm5
EPSS Score
0.05573%
CWE
CWE-522
Published
5/24/2022
Updated
2/23/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:application-director-pluginmaven<= 1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted storage of credentials in the plugin's XML configuration file. In Jenkins plugin architecture, global configuration is typically handled by a DescriptorImpl class using Stapler form binding. The configure() method is responsible for persisting configuration data, and setPassword() would be the method binding the password field from the configuration form. Since the password is stored in plaintext, these functions fail to utilize Jenkins' built-in credential encryption (e.g., Secret class) or secure credential stores. The high confidence comes from the advisory's explicit mention of the vulnerable file pattern and Jenkins plugin development conventions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

v***ri* *ppli**tion *ir**tor Plu*in stor*s t** *ppli**tion *ir**tor p*sswor* un*n*rypt** in its *lo**l *on*i*ur*tion *il* `j*ull*m.v***ri*.j*nkins.plu*in.*ppli**tion*ir**torPost*uil***ploy*r.xml` on t** J*nkins *ontroll*r. T*is p*sswor* **n ** vi*w**

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* *r***nti*ls in t** plu*in's XML *on*i*ur*tion *il*. In J*nkins plu*in *r**it**tur*, *lo**l *on*i*ur*tion is typi**lly **n*l** *y * `**s*riptorImpl` *l*ss usin* St*pl*r *orm *in*in*. T** `*on*i*ur*()