PT-2018-5178 · Apache+1 · Commons-Httpclient+1

Published

2018-01-26

Updated

2022-05-14

CVE-2017-1000396

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.73.1 and earlier, 2.83 and earlier

Description The issue concerns a vulnerability in the commons-httpclient library that incorrectly verifies SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins.

Recommendations For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update the commons-httpclient library to a version that includes the backported fix for the issue.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2017-1000396

GHSA-FQ9F-9WV9-RFMG

Affected Products

Jenkins

Commons-Httpclient

PT-2018-5178 · Apache+1 · Commons-Httpclient+1

CVE-2017-1000396

Weakness Enumeration

Related Identifiers

Affected Products

References · 6