Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tOHgyLTRnYzgtOXYzcs4AAWOd
Jenkins CollabNet Plugin man in the middle vulnerability
A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true. This feature applies to connections by this plugin only.
Permalink: https://github.com/advisories/GHSA-m8x2-4gc8-9v3rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tOHgyLTRnYzgtOXYzcs4AAWOd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-m8x2-4gc8-9v3r, CVE-2018-1000605
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000605
- https://jenkins.io/security/advisory/2018-06-25/#SECURITY-941
- https://github.com/advisories/GHSA-m8x2-4gc8-9v3r
Affected Packages
maven:org.jenkins-ci.plugins:collabnet
Affected Version Ranges: <= 2.0.4Fixed in: 2.0.5