Jenkins SiteMonitor Plugin Vulnerability Compromises SSL/TLS Verification
CVE-2019-10317

5.9MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins Sitemonitor Plugin
Vendor
CVE Published:
30 April 2019

What is CVE-2019-10317?

The Jenkins SiteMonitor Plugin version 0.5 and earlier contains a vulnerability where SSL/TLS and hostname verification are globally disabled for the Jenkins master JVM. This misconfiguration allows malicious actors to exploit insecure connections, potentially leading to unauthorized access and data breaches. Users of the affected plugin should upgrade to the latest version to mitigate this risk.

Affected Version(s)

Jenkins SiteMonitor Plugin 0.5 and earlier

References

http://www.openwall.com/lists/oss-security/2019/04/30/5
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/108159
vdb-entryx_refsource_BID
https://jenkins.io/security/advisory/2019-04-30/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.