4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2253

GHSA ID

GHSA-4qrj-99r6-jfrh

EPSS Score

0.09022%

CWE

CWE-295

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2253

CVE-2020-2253:
Missing hostname validation in Email Extension Plugin

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS by default. In Email Extension Plugin 2.75 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection. Alternatively, this protection can be enabled (or disabled in the new version) via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System.

In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method.

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2253

GHSA ID

GHSA-4qrj-99r6-jfrh

EPSS Score

0.09022%

CWE

CWE-295

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:email-ext	maven	<= 2.75	2.76

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing hostname validation during SMTP TLS handshakes. The commit diff shows the fix explicitly adds a check for 'mail.smtp.ssl.checkserveridentity' in the createSession() method, defaulting it to 'true' if unset. This method is responsible for configuring SMTP connection properties, and its failure to enforce hostname validation prior to the patch directly enabled the vulnerability. The CWE-295 mapping confirms this is an improper certificate validation issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*m*il *xt*nsion Plu*in *.** *n* **rli*r *o*s not p*r*orm *ostn*m* v*li**tion w**n *onn**tin* to t** *on*i*ur** SMTP s*rv*r. T*is l**k o* v*li**tion *oul* ** **us** usin* * m*n-in-t**-mi**l* *tt**k to int*r**pt t**s* *onn**tions. *m*il *xt*nsion Plu*

Reasoning

T** vuln*r**ility st*ms *rom missin* *ostn*m* `v*li**tion` *urin* SMTP TLS **n*s**k*s. T** *ommit *i** s*ows t** *ix *xpli*itly ***s * ****k *or 'm*il.smtp.ssl.****ks*rv*ri**ntity' in t** `*r**t*S*ssion()` m*t*o*, ****ultin* it to 'tru*' i* uns*t. T*

4.8

Basic Information

Concerned about an active attack path?

CVE-2020-2253: Missing hostname validation in Email Extension Plugin

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-2253:
Missing hostname validation in Email Extension Plugin

Vulnerability Intelligence
Miggo AI