5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-24439

GHSA ID

GHSA-g29v-5pwh-wxx4

EPSS Score

0.05598%

CWE

CWE-256

Published

1/26/2023

Updated

2/6/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-24439

CVE-2023-24439:
Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-24439

GHSA ID

GHSA-g29v-5pwh-wxx4

EPSS Score

0.05598%

CWE

CWE-256

Published

1/26/2023

Updated

2/6/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:jira-steps	maven	<= 2.0.165.v8846cf59f3db

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unencrypted storage of private keys in JiraStepsConfig.xml. Jenkins plugins typically use Java classes with DataBound setters/getters and XStream serialization for configuration. The functions responsible for setting the private key value (setPrivateKey()) and persisting the configuration (save()) would directly handle the plaintext storage. The advisory's explicit reference to JiraStepsConfig.xml and lack of encryption mechanism confirms these functions are involved in the insecure storage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins JIR* Pip*lin* St*ps Plu*in *.*.***.v************ *n* **rli*r stor*s t** priv*t* k*ys un*n*rypt** in its *lo**l *on*i*ur*tion *il* on t** J*nkins *ontroll*r w**r* it **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* priv*t* k*ys in `Jir*St*ps*on*i*.xml`. J*nkins plu*ins typi**lly us* J*v* *l*ss*s wit* **t**oun* s*tt*rs/**tt*rs *n* XStr**m s*ri*liz*tion *or *on*i*ur*tion. T** *un*tions r*sponsi*l* *or s*ttin* t*

5.5

Basic Information

Concerned about an active attack path?

CVE-2023-24439: Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-24439:
Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin

Vulnerability Intelligence
Miggo AI