First published: Tue Jun 11 2019(Updated: )
Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Electricflow | <=1.1.5 | |
maven/org.jenkins-ci.plugins:electricflow | <=1.1.6 | 1.1.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10334 is a vulnerability found in the Jenkins ElectricFlow Plugin that disabled SSL/TLS and hostname verification globally.
CVE-2019-10334 affects CloudBees CD Plugin as it unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM during deployment/publication of an application.
CVE-2019-10334 has a severity of medium with a CVSS score of 6.5.
To fix CVE-2019-10334, update your CloudBees CD Plugin to version 1.1.7 or higher.
You can find more information about CVE-2019-10334 at the following references: [http://www.openwall.com/lists/oss-security/2019/06/11/1](http://www.openwall.com/lists/oss-security/2019/06/11/1), [http://www.securityfocus.com/bid/108747](http://www.securityfocus.com/bid/108747), [https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1411](https://jenkins.io/security/advisory/2019-06-11/#SECURITY-1411).