6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-16542

GHSA ID

GHSA-jg29-c2qj-wpm3

EPSS Score

0.1451%

CWE

CWE-522

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-16542

CVE-2019-16542: Jenkins Anchore Container Scanner Plugin vulnerable to Insufficiently Protected Credentials

Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

The credential being stored was a service password for the Anchore.io service. As the affected functionality has been deprecated, and the affected Anchore.io service has been shut down in late 2018, the affected feature has been removed.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-16542

GHSA ID

GHSA-jg29-c2qj-wpm3

EPSS Score

0.1451%

CWE

CWE-522

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:anchore-container-scanner	maven	< 1.0.20	1.0.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description indicates credentials were stored unencrypted in job config.xml files, but no specific functions are mentioned in the provided data. While the root cause relates to improper credential storage in configuration serialization, the advisory lacks commit diffs, patch details, or code references needed to identify exact vulnerable functions. The fix involved removing deprecated functionality rather than modifying specific functions. Without access to the plugin's source code changes between 1.0.19 and 1.0.20, we cannot confidently name specific vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *n**or* *ont*in*r Im*** S**nn*r Plu*in *.*.** *n* **rli*r stor*s *r***nti*ls un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins m*st*r w**r* t**y **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** m*st*r *il* syst*m. T**

Reasoning

T** vuln*r**ility **s*ription in*i**t*s *r***nti*ls w*r* stor** un*n*rypt** in jo* `*on*i*.xml` *il*s, *ut no sp**i*i* *un*tions *r* m*ntion** in t** provi*** **t*. W*il* t** root **us* r*l*t*s to improp*r *r***nti*l stor*** in *on*i*ur*tion s*ri*liz

6.5

Basic Information

Concerned about an active attack path?

CVE-2019-16542: Jenkins Anchore Container Scanner Plugin vulnerable to Insufficiently Protected Credentials

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI