Miggo Logo

CVE-2019-10427: Jenkins Aqua MicroScanner Plugin showed plain text credential in configuration form

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14878%
Published
5/24/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:aqua-microscannermaven<= 1.0.71.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on plaintext credential exposure in configuration forms. Jenkins plugins typically handle credentials through getter methods in DescriptorImpl classes that bind to UI elements. The advisory explicitly states credentials were stored encrypted but transmitted decrypted, indicating the getter method responsible for populating the form field returned the plaintext secret. The function name follows Jenkins plugin conventions (DescriptorImpl pattern) and matches the credential handling workflow described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *qu* Mi*roS**nn*r Plu*in *.*.* *n* **rli*r tr*nsmitt** *on*i*ur** *r***nti*ls in pl*in t*xt *s p*rt o* t** *lo**l J*nkins *on*i*ur*tion *orm, pot*nti*lly r*sultin* in t**ir *xposur*.

Reasoning

T** vuln*r**ility **nt*rs on pl*int*xt *r***nti*l *xposur* in *on*i*ur*tion *orms. J*nkins plu*ins typi**lly **n*l* *r***nti*ls t*rou** **tt*r m*t*o*s in `**s*riptorImpl` *l*ss*s t**t *in* to UI *l*m*nts. T** **visory *xpli*itly st*t*s *r***nti*ls w*