Miggo Logo
Miggo Vulnerability Database
CVE-2024-28161

CVE-2024-28161:
Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-28161
GHSA ID
GHSA-xj36-6xc6-8p9x
EPSS Score
0.00964%
CWE
CWE-295
Published
3/6/2024
Updated
11/14/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:delphixmaven= 3.0.13.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key elements: 1) The DctSdkUtil constructor's conditional that disabled SSL verification when the global config flag was false (default insecure state). 2) The configuration system that defined 'sslCheck' as an opt-in security measure rather than opt-out. The commit diff shows the logic inversion in DctSdkUtil.java and documentation changes clarifying the 'disable validation' semantics, confirming these functions' roles in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In J*nkins **lp*ix Plu*in *.*.*, * *lo**l option *or **ministr*tors to *n**l* or *is**l* SSL/TLS **rti*i**t* v*li**tion *or **t* *ontrol Tow*r (**T) *onn**tions is *is**l** *y ****ult.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*m*nts: *) T** `**tS*kUtil` *onstru*tor's *on*ition*l t**t *is**l** SSL v*ri*i**tion w**n t** *lo**l `*on*i*` *l** w*s **ls* (****ult ins**ur* st*t*). *) T** *on*i*ur*tion syst*m t**t ***in** 'ssl****k' *s *n op