CVE-2019-10314
Description
Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Koji Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM, enabling man-in-the-middle attacks.
Vulnerability
Overview The Jenkins Koji Plugin, in versions prior to a fix, contains a severe security flaw in that it globally disables SSL/TLS certificate validation and hostname verification for the entire Jenkins controller JVM [1][2]. This is not a scoped or optional setting; the plugin unconditionally turns off these crucial security controls upon being loaded, affecting all HTTPS connections made by the Jenkins instance, not just those related to the plugin itself.
Attack
Vector and Exploitation The vulnerability is inherent in the plugin's default behavior and does not require any specific authentication or user interaction to trigger. Once the plugin is installed and the Jenkins master is started, the SSL/TLS validation is disabled globally, leaving the JVM's network communications vulnerable. An attacker positioned on the network between the Jenkins server and any remote endpoint (e.g., source code repositories, artifact stores, or other services) can perform a man-in-the-middle attack, intercepting or modifying data in transit [1]. No special privileges or prior access to Jenkins are necessary for exploitation.
Impact
Successful exploitation allows an attacker to eavesdrop on all encrypted traffic to and from the Jenkins master, including credentials, build artifacts, and configuration data. More critically, the attacker can impersonate any remote server the Jenkins instance trusts, injecting malicious code or commands into builds, exfiltrating sensitive information, or altering the system's behavior. This undermines the security of the entire Jenkins environment [2].
Mitigation
The advisory was published on April 30, 2019, but as noted in the oss-security mailing list, there was no immediate fix from the plugin maintainer at the time of the advisory [2]. The recommended action is to remove or disable the Koji Plugin if it is not essential, or to apply SSL/TLS validation at the perimeter level (e.g., using a proxy or firewall) as a workaround. Users should monitor for official updates from the plugin's developers.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:kojiMaven | <= 0.3 | — |
Affected products
3- Range: 0.3 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-3qf7-9xhj-qcfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10314ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/04/30/5ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108159mitrevdb-entryx_refsource_BID
- jenkins.io/security/advisory/2019-04-30/ghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159ghsaWEB
News mentions
0No linked articles in our index yet.