Jenkins Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

2022-05-1402:56:40

Google

osv.dev

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.0%

JSON

A man in the middle vulnerability exists in Jenkins Inedo BuildMaster Plugin 1.3 and earlier in BuildMasterConfiguration.java, BuildMasterConfig.java, BuildMasterApi.java that allows attackers to impersonate any service that Jenkins connects to.

CPENameOperatorVersion
com.inedo.buildmaster:inedo-buildmastereq1.5
com.inedo.buildmaster:inedo-buildmastereq1.1
com.inedo.buildmaster:inedo-buildmastereq1.0
com.inedo.buildmaster:inedo-buildmastereq1.6
com.inedo.buildmaster:inedo-buildmastereq1.3
com.inedo.buildmaster:inedo-buildmastereq1.2
com.inedo.buildmaster:inedo-buildmastereq1.4

Name	Operator	Version
com.inedo.buildmaster:inedo-buildmaster	eq	1.5
com.inedo.buildmaster:inedo-buildmaster	eq	1.1
com.inedo.buildmaster:inedo-buildmaster	eq	1.0
com.inedo.buildmaster:inedo-buildmaster	eq	1.6
com.inedo.buildmaster:inedo-buildmaster	eq	1.3
com.inedo.buildmaster:inedo-buildmaster	eq	1.2
com.inedo.buildmaster:inedo-buildmaster	eq	1.4