CVE-2018-1000605

Name of the Vulnerable Software and Affected Versions Jenkins CollabNet Plugin versions 2.0.4 and earlier

Description A man-in-the-middle issue exists that allows attackers to impersonate any service that Jenkins connects to. This is due to the handling of SSL/TLS certificate validation in the affected versions of the plugin, specifically within the files CollabNetApp.java, CollabNetPlugin.java, and CNFormFieldValidator.java.

Recommendations For Jenkins CollabNet Plugin versions 2.0.4 and earlier, update to version 2.0.5 or newer, which requires users to opt-in to disabling SSL/TLS certificate validation by setting the system property hudson.plugins.collabnet.CollabNetPlugin.skipSslValidation to true.