CVE-2017-1000397

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.9MEDIUM

EPSS

0.0%

top 90.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Maven

Timeline

PublishedJan 26

Latest updateMay 14

Description

Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Mavenorg.jenkins-ci.main:maven-plugin< 3.0

▶NVDjenkins/maven2.17

🔴Vulnerability Details

GHSA

MitM on Jenkins Maven Plugin↗2022-05-14

▶

OSV

MitM on Jenkins Maven Plugin↗2022-05-14

▶

CVEList

CVE-2017-1000397: Jenkins Maven Plugin 2↗2018-01-26

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2017-10-11↗2017-10-11

▶