-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unencrypted password storage in config.xml files. Jenkins plugin credentials are typically handled via: 1) Data-bound fields in builders (like ECXBuilder) that serialize to job configs, and 2) DescriptorImpl classes managing global configuration. The advisory explicitly states the password is stored in plain text in job config.xml, indicating the functions responsible for persisting the password field (likely servicePassword setters/constructors and configuration serialization logic) lack encryption. While no code is available, Jenkins plugin design patterns and the CWE-256/522 mapping strongly suggest these are the vulnerable components.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.catalogic.ecxjenkins:catalogic-ecx | maven | <= 1.9 |