Miggo Logo

CVE-2019-10461:
Jenkins Dynatrace Plugin vulnerable to Insufficiently Protected Credentials

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.01084%
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:dynatrace-dashboardmaven< 2.1.42.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted credential storage in the global config.php file. Jenkins plugins typically handle credential storage through methods in their global configuration class (TAGlobalConfiguration). The CVE specifically mentions credentials being stored in TAGlobalConfiguration.xml, implicating the configuration persistence mechanism. The 'configure' method (handling form submissions) and credential setters would be responsible for storing values without using Jenkins' Secret class or encryption mechanisms. This matches Jenkins plugin vulnerability patterns where plaintext storage occurs in DataBoundSetters/configure methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *yn*tr*** *ppli**tion Monitorin* Plu*in prior to *.*.* stor*s *r***nti*ls un*n*rypt** in its *lo**l *on*i*ur*tion *il* on t** J*nkins m*st*r w**r* t**y *oul* ** vi*w** *y us*rs wit* ****ss to t** m*st*r *il* syst*m. ##NOT*: T*is plu*in is m*

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** *r***nti*l stor*** in t** *lo**l `*on*i*.p*p` *il*. J*nkins plu*ins typi**lly **n*l* *r***nti*l stor*** t*rou** m*t*o*s in t**ir *lo**l *on*i*ur*tion *l*ss (`T**lo**l*on*i*ur*tion`). T** *V* sp**i*i**lly m*nti