VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 11, 2019· Updated Aug 4, 2024

CVE-2019-10334

CVE-2019-10334

Description

Jenkins ElectricFlow Plugin 1.1.5 and earlier disabled SSL/TLS and hostname verification globally for the Jenkins master JVM when MultipartUtility.java is used to upload files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins ElectricFlow Plugin up to 1.1.5 disables SSL/TLS certificate validation and hostname verification globally for the JVM when sending multipart file uploads.

Vulnerability

Overview CVE-2019-10334 affects the Jenkins ElectricFlow Plugin (formerly CloudBees CD Plugin) versions 1.1.5 and earlier. The plugin, specifically in the MultipartUtility.java class, disables all SSL/TLS certificate validation and hostname verification for the entire Jenkins master JVM when performing file uploads [1][3]. This is achieved by installing a trust-all TrustManager and a permissive HostnameVerifier globally via HttpsURLConnection.setDefaultSSLSocketFactory() and related methods [4].

Exploitation and

Attack Surface The vulnerability is triggered whenever the plugin uses MultipartUtility to upload files. The insecure configuration is applied globally, meaning that any HTTPS connection made by the Jenkins master—including those by other plugins or core functionality—will accept any SSL certificate and any hostname, including self-signed or malicious certificates [1][3]. An attacker does not need to be authenticated to Jenkins; they can exploit this by intercepting network traffic (e.g., man-in-the-middle attack) or by hosting a malicious server that the plugin connects to [2].

Impact

An attacker positioned to intercept or redirect network traffic from the Jenkins master can perform man-in-the-middle attacks, decrypt, modify, or inject data into any HTTPS connection. This could lead to disclosure of sensitive information (e.g., credentials, build artifacts), manipulation of transmitted data, or further compromise of the Jenkins environment. The global disablement of SSL/TLS verification is a severe weakness that affects the security posture of the entire Jenkins instance.

Mitigation

The vulnerability is fixed in ElectricFlow Plugin version 1.1.7 [2][4]. The fix adds a parameter ignoreSslConnectionErrors to the MultipartUtility constructor and removes the global trust-all trust manager and hostname verifier, instead limiting insecure connections only to those explicitly intended by the administrator [4]. Users should update to version 1.1.7 or later immediately. No workaround is available; using a plugin version below 1.1.5 leaves the Jenkins instance vulnerable.

References
  1. Jenkins Security Advisory 2019-06-11
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2019-10334
  4. [SECURITY-1411] · jenkinsci/electricflow-plugin@d0b807d

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:electricflowMaven
< 1.1.71.1.7

Affected products

2

Patches

1
d0b807d5e2de

[SECURITY-1411]

https://github.com/jenkinsci/electricflow-pluginOlexii VasilkovskyMay 29, 2019via ghsa
commit
2 files changed · +21 35
  • src/main/java/org/jenkinsci/plugins/electricflow/ElectricFlowClient.java+1 1 modified
    @@ -389,7 +389,7 @@ public String uploadArtifact(
                 + "/commander/cgi-bin/publishArtifactAPI.cgi";
 
         // return sessionId;
-        MultipartUtility multipart = new MultipartUtility(requestURL, CHARSET);
+        MultipartUtility multipart = new MultipartUtility(requestURL, CHARSET, this.getIgnoreSslConnectionErrors());
 
         multipart.addFormField("artifactName", name);
         multipart.addFormField("artifactVersionVersion", version);
  • src/main/java/org/jenkinsci/plugins/electricflow/MultipartUtility.java+20 34 modified
    @@ -9,6 +9,9 @@
 
 package org.jenkinsci.plugins.electricflow;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
@@ -37,6 +40,7 @@ public class MultipartUtility
     //~ Static fields/initializers ---------------------------------------------
 
     private static final String LINE_FEED = "\r\n";
+    private static final Log log = LogFactory.getLog(MultipartUtility.class);
 
     //~ Instance fields --------------------------------------------------------
 
@@ -54,47 +58,18 @@ public class MultipartUtility
      *
      * @param   requestURL  URL for request
      * @param   charset     name of encodings
+     * @param   ignoreSslConnectionErrors Override Electric Flow SSL Validation Check
      *
-     * @throws  NoSuchAlgorithmException  Exception
-     * @throws  KeyManagementException    Exception
      * @throws  IOException               Exception
      */
     public MultipartUtility(
             String requestURL,
-            String charset)
-        throws NoSuchAlgorithmException, KeyManagementException, IOException
+            String charset,
+            boolean ignoreSslConnectionErrors)
+        throws IOException
     {
         this.charset = charset;
 
-        TrustManager[] trustAllCerts = new TrustManager[] {
-            new X509TrustManager() {
-                @Override public java.security.cert.X509Certificate[] getAcceptedIssuers()
-                {
-                    return null;
-                }
-
-                @Override public void checkClientTrusted(
-                        X509Certificate[] certs,
-                        String            authType) { }
-
-                @Override public void checkServerTrusted(
-                        X509Certificate[] certs,
-                        String            authType) { }
-            }
-        };
-
-        // Install the all-trusting trust manager
-        SSLContext sc = SSLContext.getInstance("SSL");
-
-        sc.init(null, trustAllCerts, new java.security.SecureRandom());
-        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-
-        // Create all-trusting host name verifier
-        HostnameVerifier allHostsValid = (hostname, session) -> true;
-
-        // Install the all-trusting host verifier
-        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
-
         // creates a unique boundary based on time stamp
         boundary = "===" + System.currentTimeMillis() + "===";
 
@@ -107,10 +82,21 @@ public MultipartUtility(
         httpConn.setDoInput(true);
         httpConn.setRequestProperty("Content-Type",
             "multipart/form-data; boundary=" + boundary);
+
+        if (ignoreSslConnectionErrors) {
+            try {
+                httpConn.setSSLSocketFactory(RelaxedSSLContext.getInstance().getSocketFactory());
+            } catch (KeyManagementException | NoSuchAlgorithmException e) {
+                if (log.isDebugEnabled()) {
+                    log.debug(e.getMessage(), e);
+                }
+            }
+            httpConn.setHostnameVerifier(RelaxedSSLContext.allHostsValid);
+        }
+
         outputStream = httpConn.getOutputStream();
         writer       = new PrintWriter(new OutputStreamWriter(outputStream,
                     charset), true);
-        // Create a trust manager that does not validate certificate chains
     }
 
     //~ Methods ----------------------------------------------------------------

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.