Moderate severityNVD Advisory· Published Sep 16, 2020· Updated Aug 4, 2024

CVE-2020-2253

Description

Jenkins Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Email Extension Plugin ≤2.75 skips SMTP hostname validation, enabling man-in-the-middle attacks.

Vulnerability

Overview CVE-2020-2253 affects the Jenkins Email Extension Plugin (email-ext) versions 2.75 and earlier. The plugin fails to validate the SMTP server's hostname when establishing a connection. This missing validation allows an attacker to impersonate the SMTP server without the client verifying the server's identity [1][2].

Attack

Vector An attacker in a position to perform a man-in-the-middle attack on the network between Jenkins and the SMTP server can exploit this flaw. No prior authentication is required; the attack takes place during the TLS handshake when the plugin connects to the configured SMTP host. By presenting a forged certificate, the attacker can intercept the communication [2][4].

Impact

Successful exploitation lets the attacker intercept, read, or modify email notifications sent by Jenkins. This could expose sensitive information contained in build notifications, such as credentials, source code snippets, or internal project data. The vulnerability is rated Medium severity (CVSS) [2].

Remediation

Fixed in version 2.76 of the plugin, which enables SMTP hostname validation by default when connecting via TLS. Administrators using earlier versions can also enable the Java system property mail.smtp.ssl.checkserveridentity to mitigate the issue until the plugin is upgraded [2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:email-extMaven	< 2.76	2.76

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/email-ext
Range: < 2.76
Jenkins project/Jenkins Email Extension Pluginv5
Range: unspecified

Patches

ac039ba581f5

[SECURITY-1851]

https://github.com/jenkinsci/email-ext-pluginAlex EarlSep 10, 2020via ghsa

commit

1 file changed · +7 −0

src/main/java/hudson/plugins/emailext/ExtendedEmailPublisherDescriptor.java+7 −0 modified

@@ -300,6 +300,13 @@ public Session createSession(String from) throws MessagingException {
                 props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
             }
             props.put("mail.smtp.socketFactory.fallback", "false");
+
+            // RFC 2595 specifies additional checks that must be performed on the server's
+            // certificate to ensure that the server you connected to is the server you intended
+            // to connect to. This reduces the risk of "man in the middle" attacks.
+            if (props.getProperty("mail.smtp.ssl.checkserveridentity") == null) {
+                props.put("mail.smtp.ssl.checkserveridentity", "true");
+            }
         }
         if (!StringUtils.isBlank(acc.getSmtpUsername())) {
             props.put("mail.smtp.auth", "true");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4qrj-99r6-jfrhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2253ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/email-ext-plugin/commit/ac039ba581f5946975a327709ff201b459900caaghsaWEB
www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-16
Jenkins Security Advisories · Sep 16, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000