CVE-2020-2252

Name of the Vulnerable Software and Affected Versions Jenkins Mailer Plugin versions 1.32 and earlier

Description The issue is related to the lack of hostname validation when connecting to the configured SMTP server. This could be exploited using a man-in-the-middle attack to intercept connections. It is estimated that this issue could potentially affect a large number of devices, given the popularity of the Jenkins Mailer Plugin.

Recommendations For Jenkins Mailer Plugin versions 1.32 and earlier, set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable hostname validation. For versions prior to 1.32.1, 1.31.1, and 1.29.1, update to the respective fixed versions to enable hostname validation by default. As a temporary workaround for affected versions, consider setting the Java system property mail.smtp.ssl.checkserveridentity to true to protect against man-in-the-middle attacks. If issues arise, this protection can be disabled by setting mail.smtp.ssl.checkserveridentity to false.