CVE-2019-16558: Improper Certificate Validation in Jenkins Spira Importer Plugin
8.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.05802%
CWE
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.inflectra.spiratest.plugins:inflectra-spira-integration | maven | < 3.2.4 | 3.2.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability involves disabling SSL/TLS validation at the JVM level. This requires 1) A custom TrustManager
that skips certificate checks, 2) A HostnameVerifier
that skips host validation, and 3) A configuration
method applying these settings globally. While exact code isn't shown, the advisory's description of JVM-wide impact and CWE-295 pattern match Java SSL anti-patterns. The functions
are reconstructed based on standard SSL bypass implementations and the plugin's purpose of making HTTPS connections to Spira.