Miggo Logo

CVE-2019-10424: Jenkins elOyente Plugin has Insufficiently Protected Credentials

3.3

CVSS Score
3.0

Basic Information

EPSS Score
0.05573%
Published
5/24/2022
Updated
2/23/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.technicolor:elOyentemaven<= 1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted storage of credentials in the plugin's global configuration file. Jenkins plugins typically use a configure() method in their Builder/Descriptor classes to handle configuration persistence. The high confidence in ElOyenteBuilder.configure comes from: 1) Standard Jenkins plugin architecture patterns 2) Direct reference to the vulnerable file name matching the plugin's FQCN 3) The CWE-522 pattern matching unencrypted credential persistence. The setPassword method is inferred as medium confidence since password handling setters are typically involved in credential storage flows, though without seeing the actual code we can't confirm implementation details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lOy*nt* Plu*in stor*s * p*sswor* un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*om.t***ni*olor.*loy*nt*.*lOy*nt*.xm`l on t** J*nkins *ontroll*r. T*is p*sswor* **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il* syst*m. *s o* pu*li**ti

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* *r***nti*ls in t** plu*in's *lo**l *on*i*ur*tion *il*. J*nkins plu*ins typi**lly us* * `*on*i*ur*()` m*t*o* in t**ir *uil**r/**s*riptor *l*ss*s to **n*l* *on*i*ur*tion p*rsist*n**. T** *i** *on*i**n