Home

CVE-2017-1000396

Description

Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. This library is widely used as a transitive dependency in Jenkins plugins. The fix for CVE-2012-6153 was backported to the version of commons-httpclient that is bundled in core and made available to plugins.

Risk Information

Base Score
5.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
0.04

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities affected in Jenkins 2.83Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.73.2Windows
Multiple vulnerabilities are fixed in Jenkins-Core 2.84Windows
Multiple vulnerabilities affected in Jenkins 2.83 (For Ubuntu)Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Debian)Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Centos)Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For RedHat)Linux
Multiple vulnerabilities affected in Jenkins 2.83 (For Suse)Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.73.2Linux
Multiple vulnerabilities are fixed in Jenkins-Core for Linux 2.84Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234