GHSA-h5hm-73hg-frrm

Source

https://github.com/advisories/GHSA-h5hm-73hg-frrm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h5hm-73hg-frrm

Aliases

CVE-2018-1999034

Published

2022-05-14T02:56:39Z

Modified

2024-02-16T08:24:46.633134Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Jenkins Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation

Details

A man in the middle vulnerability exists in Jenkins Inedo ProGet Plugin 0.8 and earlier in ProGetApi.java, ProGetConfig.java, ProGetConfiguration.java that allows attackers to impersonate any service that Jenkins connects to.

Database specific

{
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:11:46Z",
    "nvd_published_at": "2018-08-01T13:29:00Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / com.inedo.proget:inedo-proget

Package

Name: com.inedo.proget:inedo-proget; View open source insights on deps.dev
Purl: pkg:maven/com.inedo.proget/inedo-proget

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h5hm-73hg-frrm/GHSA-h5hm-73hg-frrm.json"

last_known_affected_version_range

"<= 0.8"