Peter Stã¶Ckli

#21253of 53,633
11.6Total CVSS
Vulnerabilities · 2
Medium
2
PT-2020-15476
5.8
2020-09-16
Jenkins · Jenkins Mailer Plugin · CVE-2020-2252
**Name of the Vulnerable Software and Affected Versions** Jenkins Mailer Plugin versions 1.32 and earlier **Description** The issue is related to the lack of hostname validation when connecting to the configured SMTP server. This could be exploited using a man-in-the-middle attack to intercept connections. It is estimated that this issue could potentially affect a large number of devices, given the popularity of the Jenkins Mailer Plugin. **Recommendations** For Jenkins Mailer Plugin versions 1.32 and earlier, set the Java system property `mail.smtp.ssl.checkserveridentity` to true on startup to enable hostname validation. For versions prior to 1.32.1, 1.31.1, and 1.29.1, update to the respective fixed versions to enable hostname validation by default. As a temporary workaround for affected versions, consider setting the Java system property `mail.smtp.ssl.checkserveridentity` to true to protect against man-in-the-middle attacks. If issues arise, this protection can be disabled by setting `mail.smtp.ssl.checkserveridentity` to false.
PT-2020-15477
5.8
2020-09-16
Jenkins · Jenkins Email Extension Plugin · CVE-2020-2253
**Name of the Vulnerable Software and Affected Versions** Jenkins Email Extension Plugin versions 2.75 and earlier **Description** The issue is related to the lack of hostname validation when connecting to the configured SMTP server. This could be exploited using a man-in-the-middle attack to intercept connections. It is estimated that this issue could potentially affect a significant number of devices, although the exact number is not specified. **Recommendations** For Jenkins Email Extension Plugin versions 2.75 and earlier, set the Java system property `mail.smtp.ssl.checkserveridentity` to `true` on startup to enable hostname validation. Alternatively, enable this protection via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System. In case of problems, this protection can be disabled again by setting `mail.smtp.ssl.checkserveridentity` to `false` using either method. Update to Jenkins Email Extension Plugin version 2.76 or later, which validates the SMTP hostname when connecting via TLS by default.