8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10443

GHSA ID

GHSA-362p-56c9-q273

EPSS Score

0.31631%

CWE

CWE-312

Published

5/24/2022

Updated

2/15/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10443

CVE-2019-10443: Jenkins iceScrum Plugin stores credentials in Cleartext

Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10443

GHSA ID

GHSA-362p-56c9-q273

EPSS Score

0.31631%

CWE

CWE-312

Published

5/24/2022

Updated

2/15/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:icescrum	maven	< 1.1.5	1.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the iceScrum Plugin storing credentials unencrypted in job config.xml files. Jenkins plugins typically handle credential persistence via methods like saveCredentials() and retrieval via getCredentials(). The advisory explicitly states credentials were stored in cleartext, implying these functions did not use Jenkins' encrypted credential storage mechanisms (e.g., Secret class or CredentialsBinding). The high confidence comes from the pattern of similar vulnerabilities in Jenkins plugins and the explicit reference to config.xml storage in the CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins i**S*rum Plu*in *.*.* *n* **rli*r stor** *r***nti*ls un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins m*st*r w**r* t**y *oul* ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom t** i**S*rum Plu*in storin* *r***nti*ls un*n*rypt** in jo* `*on*i*.xml` *il*s. J*nkins plu*ins typi**lly **n*l* *r***nti*l p*rsist*n** vi* m*t*o*s lik* `s*v**r***nti*ls()` *n* r*tri*v*l vi* `**t*r***nti*ls()`. T** **visor

8.8

Basic Information

Concerned about an active attack path?

CVE-2019-10443: Jenkins iceScrum Plugin stores credentials in Cleartext

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI