Vulnerability & Exploit Database

Back to search

Jenkins Advisory 2017-10-11: CVE-2017-1000396: CVE-2012-6153: Jenkins core bundled vulnerable version of the commons-httpclient library

Severity CVSS Published Added Modified
4 (AV:N/AC:M/Au:N/C:N/I:P/A:N) September 03, 2014 November 19, 2017 November 19, 2017

Description

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

jenkins-lts-upgrade-2_73_2

Related Vulnerabilities