CVE-2019-16543: Plaintext Storage in Jenkins Spira Importer Plugin
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.01037%
CWE
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.inflectra.spiratest.plugins:inflectra-spira-integration | maven | < 3.2.3 | 3.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from plaintext credential storage in the plugin's global configuration XML file. The primary vulnerable functions would be those responsible for serializing configuration data to disk. In Jenkins plugin architecture, the descriptor class (typically ending with $DescriptorImpl) handles configuration persistence through its configure
method. The setter
method for the password field would directly store plaintext values prior to the encryption fix in 3.2.3. These functions would appear in runtime profiling when administrators save plugin configuration or when the system writes to com.inflectra.spiratest.plugins.SpiraBuilder.xml
.