Miggo Logo
Miggo Vulnerability Database
CVE-2019-10382

CVE-2019-10382: Jenkins VMware Lab Manager Slaves Plugin vulnerable to Improper Certificate Validation

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10382
GHSA ID
GHSA-jxg7-cghf-mggx
EPSS Score
0.15335%
CWE
CWE-295
Published
5/24/2022
Updated
3/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:labmanagermaven<= 0.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory describes the vulnerability as the plugin unconditionally disabling SSL/TLS certificate validation for the entire Jenkins controller JVM, which aligns with CWE-295. However, the provided information does not include specific code snippets, commit diffs, or file paths from the plugin's source code. Without access to the actual implementation details (e.g., functions that override TrustManager, disable hostname verification, or configure insecure SSLContext), it is impossible to identify the exact vulnerable functions with high confidence. The vulnerability's root cause is clear (global SSL/TLS validation bypass), but the lack of code-level specifics prevents pinpointing the precise functions responsible.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

VMw*r* L** M*n***r Sl*v*s Plu*in un*on*ition*lly *is**l*s SSL/TLS **rti*i**t* v*li**tion *or t** *ntir* J*nkins *ontroll*r JVM. *s o* pu*li**tion o* t*is **visory, t**r* is no *ix.

Reasoning

T** **visory **s*ri**s t** vuln*r**ility *s t** plu*in un*on*ition*lly *is**lin* SSL/TLS **rti*i**t* v*li**tion *or t** *ntir* J*nkins *ontroll*r JVM, w*i** *li*ns wit* *W*-***. *ow*v*r, t** provi*** in*orm*tion *o*s not in*lu** sp**i*i* *o** snipp*t