CVE-2017-1000397
Description
Jenkins Maven Plugin 2.17 and earlier bundled a vulnerable commons-httpclient library, enabling man-in-the-middle attacks due to improper SSL certificate verification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Maven Plugin 2.17 and earlier bundled a vulnerable commons-httpclient library, enabling man-in-the-middle attacks due to improper SSL certificate verification.
Vulnerability
Jenkins Maven Plugin versions 2.17 and earlier bundled a version of the commons-httpclient library that is affected by CVE-2012-6153. This vulnerability causes the library to incorrectly verify SSL certificates, making HTTPS connections susceptible to man-in-the-middle attacks. Maven Plugin 3.0 removes the dependency on commons-httpclient, resolving the issue [1].
Exploitation
An attacker with a position on the network path between the Jenkins server and a target HTTPS endpoint can exploit the flawed SSL certificate verification. The attacker must be able to intercept and modify network traffic (man-in-the-middle). No authentication or special permissions on the Jenkins system are required to trigger the vulnerable code path, as the library is used during normal Maven plugin operations that involve HTTPS connections.
Impact
Successful exploitation allows an attacker to intercept, decrypt, and potentially modify HTTPS traffic between the Jenkins Maven Plugin and remote services. This can lead to disclosure of sensitive information (such as credentials, source code, or build artifacts) and potentially allow the attacker to inject malicious content into the communication stream, compromising the integrity of the data [1].
Mitigation
Upgrade to Jenkins Maven Plugin 3.0 or later, which no longer depends on the vulnerable commons-httpclient library. No workaround is available for earlier versions. The fix was released on or before the advisory publication date of 2017-10-11 [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:maven-pluginMaven | < 3.0 | 3.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-qhxw-54m9-6wwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000397ghsaADVISORY
- jenkins.io/security/advisory/2017-10-11/mitrex_refsource_CONFIRM
- www.jenkins.io/security/advisory/2017-10-11ghsaWEB
News mentions
0No linked articles in our index yet.