Package Instance

Improper Validation of Certificate with Host Mismatch in Jenkins Mailer Plugin
Jenkins Mailer Plugin prior to 1.32.1, 1.31.1, and 1.29.1 does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1, 1.31.1, and 1.29.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

Missing permission check in Blue Ocean Plugin
### Updated 2020-09-16
This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it.

### Original Description
Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

Path traversal vulnerability in Blue Ocean Plugin
Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, `blueocean.features.GIT_READ_SAVE_TYPE`, that when set to the value `clone` allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.

Jenkins JIRA Plugin allows users to select and use credentials with System scope
Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.