Miggo Logo

CVE-2019-16558: Improper Certificate Validation in Jenkins Spira Importer Plugin

8.2

CVSS Score
3.1

Basic Information

EPSS Score
0.05802%
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.inflectra.spiratest.plugins:inflectra-spira-integrationmaven< 3.2.43.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves disabling SSL/TLS validation at the JVM level. This requires 1) A custom TrustManager that skips certificate checks, 2) A HostnameVerifier that skips host validation, and 3) A configuration method applying these settings globally. While exact code isn't shown, the advisory's description of JVM-wide impact and CWE-295 pattern match Java SSL anti-patterns. The functions are reconstructed based on standard SSL bypass implementations and the plugin's purpose of making HTTPS connections to Spira.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Spir* Import*r Plu*in *.*.* *n* **rli*r *is**l*s SSL/TLS **rti*i**t* v*li**tion *or t** J*nkins m*st*r JVM.

Reasoning

T** vuln*r**ility involv*s *is**lin* SSL/TLS v*li**tion *t t** JVM l*v*l. T*is r*quir*s *) * *ustom `TrustM*n***r` t**t skips **rti*i**t* ****ks, *) * `*ostn*m*V*ri*i*r` t**t skips *ost v*li**tion, *n* *) * `*on*i*ur*tion` m*t*o* *pplyin* t**s* s*tti