CVE-2020-2253

Name of the Vulnerable Software and Affected Versions Jenkins Email Extension Plugin versions 2.75 and earlier

Description The issue is related to the lack of hostname validation when connecting to the configured SMTP server. This could be exploited using a man-in-the-middle attack to intercept connections. It is estimated that this issue could potentially affect a significant number of devices, although the exact number is not specified.

Recommendations For Jenkins Email Extension Plugin versions 2.75 and earlier, set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable hostname validation. Alternatively, enable this protection via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System. In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method. Update to Jenkins Email Extension Plugin version 2.76 or later, which validates the SMTP hostname when connecting via TLS by default.