-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:aqua-security-scanner | maven | <= 3.2.8 |
JavaJavaOngoing coverage of React2Shell
Miggo AIRoot Cause AnalysisThe vulnerability lies in the AquaDockerScannerBuilder class, which is responsible for configuring the Aqua Security scanner build step in Jenkins. The root cause is the insecure handling of the localToken credential. Instead of using Jenkins' built-in hudson.util.Secret class to manage the secret, the plugin stores the token in a plain java.lang.String field.
The methods AquaDockerScannerBuilder (constructor), setLocalToken (setter), and getLocalToken (getter) are all part of the data binding and persistence mechanism that Jenkins uses. The constructor and setter accept the token as a String from the user configuration, and the getter exposes this String to the persistence layer. This results in the token being saved in the job's config.xml file in an unencrypted format, making it accessible to any user with Item/Extended Read permissions or file system access to the Jenkins controller.