Miggo Logo
Miggo Vulnerability Database
CVE-2019-10446

CVE-2019-10446: Jenkins Cadence vManager Plugin disables SSL/TLS and hostname verification

8.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-10446
GHSA ID
GHSA-5j9f-5wmp-7f8h
EPSS Score
0.15335%
CWE
CWE-295
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:vmanager-pluginmaven< 2.7.12.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the original implementation of fixUntrustCertificate(), which used a custom X509TrustManager that skipped certificate validation and a HostnameVerifier that always returned true. The commit diff shows this function was replaced with a safer Apache HttpClient implementation that localizes the SSL bypass (via NoopHostnameVerifier and TrustSelfSignedStrategy) only when explicitly enabled by the user. The pre-patch version's global HttpsURLConnection.setDefaultSSLSocketFactory() and setDefaultHostnameVerifier() calls made the entire JVM vulnerable to MITM attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ****n** vM*n***r Plu*in prior to v*rsion *.*.* *is**l*s SSL/TLS *n* *ostn*m* v*ri*i**tion *lo**lly *or t** J*nkins m*st*r JVM. T*is issu* is p*t**** in *.*.*

Reasoning

T** vuln*r**ility st*mm** *rom t** ori*in*l impl*m*nt*tion o* `*ixUntrust**rti*i**t*()`, w*i** us** * *ustom `X***TrustM*n***r` t**t skipp** **rti*i**t* v*li**tion *n* * `*ostn*m*V*ri*i*r` t**t *lw*ys r*turn** tru*. T** *ommit *i** s*ows t*is *un*tio