Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-6fr3-286q-q3cr

GitHub Security Advisory

Improper Validation of Certificate with Host Mismatch in Jenkins Mailer Plugin

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Jenkins Mailer Plugin prior to 1.32.1, 1.31.1, and 1.29.1 does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1, 1.31.1, and 1.29.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

Affected Packages

Maven org.jenkins-ci.plugins:mailer
Affected versions: 1.32 (fixed in 1.32.1)
Maven org.jenkins-ci.plugins:mailer
Affected versions: 1.30 (fixed in 1.31.1)
Maven org.jenkins-ci.plugins:mailer
Affected versions: 0 (fixed in 1.29.1)

Related CVEs

CVE-2020-2252

Key Information

GHSA ID
GHSA-6fr3-286q-q3cr
Published
May 24, 2022 5:28 PM
Last Modified
May 23, 2023 8:56 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:mailer
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.