Hostname Validation Flaw in Jenkins Mailer Plugin by Jenkins
CVE-2020-2252

4.8MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Mailer Plugin
Vendor: CVE Published:; 16 September 2020

Summary

The Jenkins Mailer Plugin, prior to version 1.33, lacks proper hostname validation when establishing connections with configured SMTP servers. This oversight can potentially expose the system to risks associated with unsecured communication channels, as the plugin does not verify that the server it connects to matches the expected hostname. This could allow attackers to exploit the connection and conduct malicious activities, making it crucial for users to update to the latest version to mitigate such vulnerabilities.

Affected Version(s)

Jenkins Mailer Plugin <= 1.32

Jenkins Mailer Plugin 1.29.1

Jenkins Mailer Plugin 1.31.1

References

https://www.jenkins.io/security/advisory/2020-09-16/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/16/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 16, 2020
Vulnerability Reserved
Dec 5, 2019