Description

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Remediation

References

CVE-2017-1000396

Related Vulnerabilities

Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-22881)

Liferay Portal Missing Authorization Vulnerability (CVE-2023-3426)

WordPress Plugin Accept Stripe Donation-AidWP Security Bypass (2.8)

Joomla! Core 4.x.x Multiple Vulnerabilities (4.0.0 - 4.2.3)

ownCloud Other Vulnerability (CVE-2013-2089)

Severity

Medium

Classification

CVE-2017-1000396 CWE-295 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities