CVE-2020-2252
First published: Wed Sep 16 2020(Updated: )
Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:3.11.1603460090-1.el7 | 2-plugins-0:3.11.1603460090-1.el7 |
| redhat/jenkins | <2-plugins-0:4.6.1601368321-1.el8 | 2-plugins-0:4.6.1601368321-1.el8 |
| maven/org.jenkins-ci.plugins:mailer | <1.29.1 | 1.29.1 |
| maven/org.jenkins-ci.plugins:mailer | >=1.30<1.31.1 | 1.31.1 |
| maven/org.jenkins-ci.plugins:mailer | =1.32 | 1.32.1 |
| redhat/mailer | <1.32.1 | 1.32.1 |
| Jenkins Mailer Jenkins | <=1.32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-2252
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1813
- http://www.openwall.com/lists/oss-security/2020/09/16/3
- https://github.com/CVEProject/cvelist/blob/16860a328d970faa6e4350b0fa446f64a52e52ca/2020/2xxx/CVE-2020-2252.json
- https://github.com/advisories/GHSA-6fr3-286q-q3cr (Advisory)
- https://github.com/jenkinsci/mailer-plugin/commit/e1893c6d105669f134ee5c5212ef9f3944d7d00d
- https://www.openwall.com/lists/oss-security/2020/09/16/3
- https://access.redhat.com/errata/RHSA-2020:4297
- https://access.redhat.com/security/cve/cve-2020-2252
- https://access.redhat.com/errata/RHSA-2020:5102
- https://bugzilla.redhat.com/show_bug.cgi?id=1880454
- https://www.cve.org/CVERecord?id=CVE-2020-2252 https://nvd.nist.gov/vuln/detail/CVE-2020-2252 https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1813 https://www.openwall.com/lists/oss-security/2020/09/16/3
Frequently Asked Questions
What is CVE-2020-2252?
CVE-2020-2252 is a vulnerability in the Jenkins Mailer Plugin that allows for potential man-in-the-middle attacks.
How severe is CVE-2020-2252?
CVE-2020-2252 has a severity score of 4.8, which is considered medium.
Which versions of Jenkins Mailer Plugin are affected?
Versions prior to 1.32.1, 1.31.1, and 1.29.1 of Jenkins Mailer Plugin are affected.
How can the vulnerability be exploited?
The vulnerability can be exploited through a man-in-the-middle attack to intercept connections.
What is the remedy for CVE-2020-2252?
The remedy for CVE-2020-2252 is to update Jenkins Mailer Plugin to version 1.32.1 or higher.
- collector/redhat-cve
- collector/github-advisory
- alias/GHSA-6fr3-286q-q3cr
- alias/CVE-2020-2252
- collector/github-advisory-latest
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- agent/tags
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/maven
- vendor/jenkins
- canonical/jenkins mailer jenkins
- version/jenkins mailer jenkins/1.32