3.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-16545

GHSA ID

GHSA-793w-q2h5-8h5j

EPSS Score

0.3415%

CWE

CWE-319

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-16545

CVE-2019-16545: Jenkins QMetry for JIRA Plugin shows plain text password in configuration form

Jenkins QMetry for JIRA - Test Management Plugin stores a credential as part of its post-build step configuration.

While the password is stored encrypted on disk since QMetry for JIRA - Test Management Plugin 1.13, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-16545

CVE-2019-16545:

3.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-16545

GHSA ID

GHSA-793w-q2h5-8h5j

EPSS Score

0.3415%

CWE

CWE-319

Published

5/24/2022

Updated

10/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:qmetry-for-jira-test-management	maven	<= 1.13	1.14.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from password fields being handled as plain text in configuration forms. The commit diff shows critical changes: (1) Password fields were migrated from String to Jenkins' Secret type, (2) getters/setters were modified to avoid decryption during form rendering, and (3) authentication logic in UploadToServer was updated to use Secret.getPlainText() instead of raw strings. The original functions transmitted passwords as plain text because they used String types for sensitive data, allowing exposure via browser DOM, XSS, or network interception. The high confidence stems from explicit code changes addressing cleartext transmission in the patched commit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-16545: Jenkins QMetry for JIRA Plugin shows plain text password in configuration form

CVE-2019-16545:

3.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2019-16545: Jenkins QMetry for JIRA Plugin shows plain text password in configuration form

Basic Information

Basic Information

Technical Details

3.1

3.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI