Jenkins ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

2022-05-2416:47:43

Google

osv.dev

jenkins electricflow plugin

ssl/tls certificate validation

cloudbees cd plugin

entire jenkins controller jvm

opt-in option

specific connection

security advisory

AI Score

6.8

Confidence

High

EPSS

0.003

Percentile

70.5%

JSON

CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application.

CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection.

This issue was caused by an incomplete fix for SECURITY-937.