CVE-2019-10334

Name of the Vulnerable Software and Affected Versions Jenkins ElectricFlow Plugin version 1.1.5 and earlier CloudBees CD Plugin (affected versions not specified)

Description The issue concerns the disabling of SSL/TLS and hostname verification in Jenkins plugins. Specifically, the Jenkins ElectricFlow Plugin disabled these security measures globally for the Jenkins master JVM when uploading files using MultipartUtility.java. Similarly, the CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during application deployment. This was caused by an incomplete fix for a previous security issue. The estimated number of potentially affected devices worldwide is not available.

Recommendations For Jenkins ElectricFlow Plugin version 1.1.5 and earlier, update to a version that properly handles SSL/TLS and hostname verification. For CloudBees CD Plugin, use the existing opt-in option to ignore SSL/TLS errors during deployment for the specific connection, instead of relying on the previous unconditional disabling of certificate validation. As a temporary workaround, consider restricting the use of MultipartUtility.java in the Jenkins ElectricFlow Plugin until a proper fix is available.