3.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-16572

GHSA ID

GHSA-5c97-gxr3-r368

EPSS Score

0.09244%

CWE

CWE-256

Published

5/24/2022

Updated

8/9/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-16572

CVE-2019-16572: Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-16572

CVE-2019-16572:

3.3

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-16572

GHSA ID

GHSA-5c97-gxr3-r368

EPSS Score

0.09244%

CWE

CWE-256

Published

5/24/2022

Updated

8/9/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:weibo	maven	<= 1.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unencrypted credential storage in WeiboNotifier.xml. Jenkins plugins typically handle configuration through DescriptorImpl.configure for global settings and store sensitive data using Secret objects. The presence of plaintext credentials in the XML file implies:

The configure method fails to use Jenkins' Secret API during configuration persistence
The credential field in WeiboNotifier is stored as a plain String rather than a Secret
The XStream serialization (used by Jenkins for config files) isn't leveraging credential protection mechanisms While exact code isn't available, Jenkins plugin architecture patterns and the specific file path mentioned in advisories strongly indicate these entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-16572: Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file

CVE-2019-16572:

3.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2019-16572: Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

3.3

3.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI