CVE-2023-30516

Name of the Vulnerable Software and Affected Versions Jenkins Image Tag Parameter Plugin version 2.0

Description The Jenkins Image Tag Parameter Plugin improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. This results in job configurations using Image Tag Parameters that were created before version 2.0 having SSL/TLS certificate validation disabled by default. The issue is related to incorrect authentication of SSL/TLS certificates, which could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For Jenkins Image Tag Parameter Plugin version 2.0, consider disabling the option to opt out of SSL/TLS certificate validation when connecting to Docker registries until a patch is available. Restrict access to job configurations using Image Tag Parameters that were created before version 2.0 to minimize the risk of exploitation. As a temporary workaround, enable SSL/TLS certificate validation for these configurations to prevent unauthorized access.