SSL/TLS Certificate Validation Flaw in Jenkins Spira Importer Plugin by CloudBees
CVE-2019-16558

8.2HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Spira Importer Plugin
Vendor: CVE Published:; 17 December 2019

What is CVE-2019-16558?

The Jenkins Spira Importer Plugin version 3.2.3 and earlier contains a vulnerability that allows the disabling of SSL/TLS certificate validation on the Jenkins master JVM. This flaw exposes environments to potential man-in-the-middle attacks, jeopardizing the integrity and confidentiality of data transmitted between the Jenkins server and other systems. Users of affected versions should update to prevent unauthorized access and maintain secure communications.

Affected Version(s)

Jenkins Spira Importer Plugin <= 3.2.3

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2019
Vulnerability Reserved
Sep 20, 2019