-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability explicitly describes plaintext password storage in job config.xml files. Jenkins plugins typically serialize job configuration data using XStream, which writes field values directly unless explicitly protected. The absence of encryption implies the password field was declared as a String (not Secret) and lacked @Secret annotations or proper handling. While the exact class/method names are unavailable without source code, the root cause lies in the serialization logic of password fields in configuration classes, a common pattern in Jenkins plugins. This matches CWE-256 (plaintext storage) and CWE-522 (insufficient credential protection).
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:mailcommander | maven | <= 1.0.0 |
Ongoing coverage of React2Shell