Jenkins Cadence vManager Plugin disables SSL/TLS and hostname verification

2022-05-2416:58:49

Google

osv.dev

jenkins

cadence vmanager

plugin

ssl/tls

hostname verification

jvm

patched

version 2.7.1

EPSS

0.002

Percentile

53.8%

JSON

Jenkins Cadence vManager Plugin prior to version 2.7.1 disables SSL/TLS and hostname verification globally for the Jenkins master JVM. This issue is patched in 2.7.1

References

github.com/jenkinsci/vmanager-plugin

github.com/jenkinsci/vmanager-plugin/commit/639aa135ab57d9e23c5bedeb0a5e9518eb0f486e

jenkins.io/security/advisory/2019-10-16/#SECURITY-1615

nvd.nist.gov/vuln/detail/CVE-2019-10446

EPSS

0.002

Percentile

53.8%

JSON

Related for OSV:GHSA-5J9F-5WMP-7F8H