CVE-2017-1000397

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-1000397

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000397.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-1000397

Aliases

GHSA-qhxw-54m9-6wwc

Published

2018-01-26T02:29:00Z

Modified

2024-09-03T01:35:09.341497Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.

References

https://jenkins.io/security/advisory/2017-10-11/

Affected packages

Git / github.com/jenkinsci/maven-plugin

Affected ranges

Type: GIT
Repo: https://github.com/jenkinsci/maven-plugin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

77e94605b31c5ea41914e5105f77831d397e7132

Affected versions

1.*

1.580.1-rc1

maven-plugin-2.*

maven-plugin-2.0

maven-plugin-2.0-beta-1

maven-plugin-2.1

maven-plugin-2.10

maven-plugin-2.11

maven-plugin-2.12

maven-plugin-2.12.1

maven-plugin-2.13

maven-plugin-2.14

maven-plugin-2.15

maven-plugin-2.15.1

maven-plugin-2.16

maven-plugin-2.17

maven-plugin-2.2

maven-plugin-2.3

maven-plugin-2.4

maven-plugin-2.5

maven-plugin-2.6

maven-plugin-2.7

maven-plugin-2.7.1

maven-plugin-2.8

maven-plugin-2.9