CVE-2018-1000605 – org.jenkins-ci.plugins:collabnet

Package

Manager: maven
Name: org.jenkins-ci.plugins:collabnet
Vulnerable Version: >=0 <2.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00042 pctl0.12038

Details

Jenkins CollabNet Plugin man in the middle vulnerability A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true. This feature applies to connections by this plugin only.

Metadata

Created: 2022-05-14T02:56:39Z
Modified: 2022-12-12T17:01:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m8x2-4gc8-9v3r/GHSA-m8x2-4gc8-9v3r.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-m8x2-4gc8-9v3r
Finding: F163
Auto approve: 1