-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from two key issues: (1) Cleartext storage in config.xml implies the absence of encryption during configuration serialization, which typically occurs in the DescriptorImpl's configuration handling methods. (2) The lack of UI masking suggests the client secret field in the Jelly configuration form uses a plaintext input (f:text) instead of a masked input (f:password). While the Jelly template itself isn't a 'function,' the root cause lies in the Java methods responsible for storing the secret. The configure() and setClientSecret() methods are identified as vulnerable because they directly handle the sensitive data without using Jenkins' Secret class for encryption or proper UI masking mechanisms.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:wso2id-oauth | maven | <= 1.0 |
KEV Misses 88% of Exploited CVEs- Get the report