#VU21553 Improper Certificate Validation in Codefresh Integration - CVE-2019-10381

Cybersecurity Help s.r.o.

Published: 2019-10-04 | Updated: 2019-10-10

Vulnerability identifier: #VU21553

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-10381

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Codefresh Integration
Web applications / Modules and components for CMS

Vendor: Jenkins

Description
The vulnerability allows a remote attacker to perform a man-in-the-middle (MiTM) attack.

The vulnerability exists due to the affected software unconditionally disables SSL/TLS certificate validation for the entire Jenkins master JVM. A remote attacker can supply a specially crafted SSL/TLS certificate, conduct man-in-the-middle attacks and connect to a targeted system.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Codefresh Integration: 1.0 - 1.8

External links
https://www.openwall.com/lists/oss-security/2019/08/07/1
https://jenkins.io/security/advisory/2019-08-07/#SECURITY-931

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Certificate Validation in Codefresh Integration plugin for Jenkins