[MAVEN:GHSA-FQ9F-9WV9-RFMG] Improper Certificate Validation in Jenkins

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.74, <= 2.83
pkg:maven/org.jenkins-ci.main/jenkins-core	<= 2.73.1

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.84
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.73.2

ID: MAVEN:GHSA-FQ9F-9WV9-RFMG
Severity: moderate
URL: https://github.com/advisories/GHSA-fq9f-9wv9-rfmg
Published: 2022-05-14T01:04:35
(2 years ago)
Modified: 2023-01-27T05:02:35
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2017-1000396
			https://jenkins.io/security/advisory/2017-10-11/
			https://github.com/jenkinsci/jenkins/commit/fe77d1c3dbf91ddf2a9f8e5ed882611455ab00d0
			https://github.com/advisories/GHSA-fq9f-9wv9-rfmg

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.74 <= 2.83
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.84
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	<= 2.73.1
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.73.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date