The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Jenkins | Jenkins | * | 1.639 |