Miggo Logo
Miggo Vulnerability Database
CVE-2024-28154

CVE-2024-28154: Jenkins MQ Notifier Plugin exposes sensitive information in build logs

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-28154
GHSA ID
GHSA-8fm4-r23p-v68v
EPSS Score
0.28133%
CWE
-
Published
3/6/2024
Updated
1/21/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.sonymobile.jenkins.plugins.mq:mq-notifiermaven< 1.4.11.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from verbose logging being enabled by default (via enableVerboseLogging=true) in MQNotifierConfig. The functions RunListenerImpl.logMessage and MQMessageStep.run used this flag to log JSON messages containing build parameters. The patch introduced enableVerboseLoggingBoolean (defaulting to null/false) and migrated checks to this field, explicitly disabling verbose logging by default. The original functions using enableVerboseLogging were the entry points for insecure logging.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins MQ Noti*i*r Plu*in *.*.* *n* **rli*r lo*s pot*nti*lly s*nsitiv* *uil* p*r*m*t*rs *s p*rt o* ***u* in*orm*tion in *uil* lo*s *y ****ult.

Reasoning

T** vuln*r**ility st*ms *rom v*r*os* lo**in* **in* *n**l** *y ****ult (vi* *n**l*V*r*os*Lo**in*=tru*) in MQNoti*i*r*on*i*. T** *un*tions RunList*n*rImpl.lo*M*ss*** *n* MQM*ss***St*p.run us** t*is *l** to lo* JSON m*ss***s *ont*inin* *uil* p*r*m*t*rs.