CVE-2019-10427: Jenkins Aqua MicroScanner Plugin showed plain text credential in configuration form
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.14878%
CWE
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:aqua-microscanner | maven | <= 1.0.7 | 1.0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on plaintext credential exposure in configuration forms. Jenkins plugins typically handle credentials through getter methods in DescriptorImpl
classes that bind to UI elements. The advisory explicitly states credentials were stored encrypted but transmitted decrypted, indicating the getter method responsible for populating the form field returned the plaintext secret. The function
name follows Jenkins plugin conventions (DescriptorImpl
pattern) and matches the credential handling workflow described in the advisory.