CVE-2019-16572: Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file
3.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.09244%
CWE
Published
5/24/2022
Updated
8/9/2024
KEV Status
No
Technology
Java
JavaTechnical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:weibo | maven | <= 1.0.1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from unencrypted credential storage in WeiboNotifier.xml. Jenkins plugins typically handle configuration through DescriptorImpl.configure for global settings and store sensitive data using Secret objects. The presence of plaintext credentials in the XML file implies:
- The configure method fails to use Jenkins' Secret API during configuration persistence
- The credential field in WeiboNotifier is stored as a plain String rather than a Secret
- The XStream serialization (used by Jenkins for config files) isn't leveraging credential protection mechanisms While exact code isn't available, Jenkins plugin architecture patterns and the specific file path mentioned in advisories strongly indicate these entry points.