CVE-2017-1000397
published 2018-01-26CVE-2017-1000397: Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL…
medium5.9CVSS 3.0
AVNACHPRNUINSUCNIHAN
Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | client_needs_to_be_updated_independently_from_the_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | mailer_plugin | — | — |
| jenkins | maven | <= 2.17 | — |
| jenkins | maven_plugin | — | — |
| jenkins | please_note_that_swarm_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | swarm_plugin | — | — |
| jenkins | updating_just_the_plugin | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
ghsa4.3MEDIUM
osv4.3MEDIUM