GHSA-hrr3-7r5v-vxx5

Source

https://github.com/advisories/GHSA-hrr3-7r5v-vxx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hrr3-7r5v-vxx5/GHSA-hrr3-7r5v-vxx5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hrr3-7r5v-vxx5

Aliases

CVE-2018-1999035

Published

2022-05-14T02:56:40Z

Modified

2024-02-16T08:13:51.009722Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Jenkins Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Details

A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to.

Database specific

{
    "nvd_published_at": "2018-08-01T13:29:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:11:35Z"
}

References

Affected packages

Maven / com.inedo.buildmaster:inedo-buildmaster

Package

Name: com.inedo.buildmaster:inedo-buildmaster; View open source insights on deps.dev
Purl: pkg:maven/com.inedo.buildmaster/inedo-buildmaster

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

Database specific

{
    "last_known_affected_version_range": "<= 1.3"
}