CVE-2019-16561 — Improper Certificate Validation in Project Jenkins Websphere Deployer Plugin

CWE-295 — Improper Certificate Validation5 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 92.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Websphere Deployer Plugin Jenkins Websphere Deployer

Timeline

PublishedDec 17

Latest updateMay 24

Description

Jenkins WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_websphere_deployer_pluginunspecified — 1.6.1

▶NVDjenkins/websphere_deployer1.6.1

🔴Vulnerability Details

OSV

SSL/TLS certificate validation globally and unconditionally disabled by Jenkins WebSphere Deployer Plugin↗2022-05-24

▶

GHSA

SSL/TLS certificate validation globally and unconditionally disabled by Jenkins WebSphere Deployer Plugin↗2022-05-24

▶

CVEList

CVE-2019-16561: Jenkins WebSphere Deployer Plugin 1↗2019-12-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-12-17↗2019-12-17

▶