CVE-2023-30516

2023-04-1218:15:09

CWE-295

[email protected]

web.nvd.nist.gov

cve-2023-30516

jenkins

image tag parameter plugin

ssl/tls

docker

registry

security

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

32.4%

JSON

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by default.

Affected configurations

NVD

Node

jenkinsimage_tag_parameterRange<2.0jenkins

CPENameOperatorVersion
jenkins:image_tag_parameterjenkins image tag parameterlt2.0

CPE	Name	Operator	Version
jenkins:image_tag_parameter	jenkins image tag parameter	lt	2.0

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Jenkins Image Tag Parameter Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "2.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]