CVE-2020-2252
Description
Jenkins Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Mailer Plugin before 1.32.1 lacks SMTP hostname validation, enabling man-in-the-middle attacks on email connections.
Jenkins Mailer Plugin versions 1.32 and earlier do not validate the SMTP server hostname when establishing a TLS connection. This means the plugin does not verify that the certificate presented by the SMTP server matches the configured hostname, leaving the connection vulnerable to interception [1].
An attacker with a man-in-the-middle position on the network between Jenkins and the SMTP server can exploit this flaw by presenting a rogue certificate. No prior authentication is required beyond network access, making the attack surface the SMTP connection itself [1][2].
Successful exploitation allows the attacker to read or modify email content sent by Jenkins, potentially leaking sensitive information or altering notifications sent to users [1].
The vulnerability is fixed in Mailer Plugin version 1.32.1, which enables hostname validation by default. For earlier versions, administrators can enable protection by setting the Java system property mail.smtp.ssl.checkserveridentity to true on startup [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:mailerMaven | >= 1.32, < 1.32.1 | 1.32.1 |
org.jenkins-ci.plugins:mailerMaven | >= 1.30, < 1.31.1 | 1.31.1 |
org.jenkins-ci.plugins:mailerMaven | < 1.29.1 | 1.29.1 |
Affected products
3- Range: <=1.32
- Range: unspecified
Patches
1e1893c6d1056SECURITY-1813
1 file changed · +3 −0
src/main/java/hudson/tasks/Mailer.java+3 −0 modified@@ -383,6 +383,9 @@ private static Session createSession(String smtpHost, String smtpPort, boolean u props.put("mail.smtp.socketFactory.class","javax.net.ssl.SSLSocketFactory"); } props.put("mail.smtp.socketFactory.fallback", "false"); + if (props.getProperty("mail.smtp.ssl.checkserveridentity") == null) { + props.put("mail.smtp.ssl.checkserveridentity", "true"); + } } if(useTls){ /* This allows the user to override settings by setting system properties and
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-6fr3-286q-q3crghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2252ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- github.com/CVEProject/cvelist/blob/16860a328d970faa6e4350b0fa446f64a52e52ca/2020/2xxx/CVE-2020-2252.jsonghsaWEB
- github.com/jenkinsci/mailer-plugin/commit/e1893c6d105669f134ee5c5212ef9f3944d7d00dghsaWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020