CVE-2021-22511
Description
Micro Focus Application Automation Tools Plugin for Jenkins up to 6.7 improperly validates certificates, allowing unconditional disabling of SSL/TLS verification.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Micro Focus Application Automation Tools Plugin for Jenkins up to 6.7 improperly validates certificates, allowing unconditional disabling of SSL/TLS verification.
Vulnerability
The Micro Focus Application Automation Tools Plugin (now OpenText Application Automation Tools Plugin) for Jenkins, versions 6.7 and earlier, contains an improper certificate validation vulnerability ([SECURITY-2176] [1]). The plugin unconditionally trusts all SSL/TLS certificates when connecting to external services, as evidenced by the introduction of a trustEveryone boolean parameter in the SvServerSettingsModel class, which when set to true bypasses certificate validation entirely [3]. This affects all communications where the plugin makes HTTPS connections, such as to Service Virtualization servers.
Exploitation
An attacker with network position capable of man-in-the-middle (MITM) attacks can exploit this vulnerability by presenting a self-signed or otherwise invalid certificate to the plugin. No special authentication is required beyond being able to intercept or redirect the plugin's network traffic. The plugin does not enforce certificate validation by default in affected versions, so the attacker simply needs to position themselves between the Jenkins instance and the target server. The trustEveryone configuration option, when enabled, disables all certificate checks, making exploitation trivial.
Impact
Successful exploitation allows an attacker to intercept, decrypt, and potentially modify all traffic between the Jenkins plugin and the external services it communicates with. This can lead to disclosure of sensitive information such as credentials, build artifacts, or configuration data. The attacker can also perform impersonation of the target server, possibly injecting malicious responses. The compromise undermines the confidentiality and integrity of the communication channel, with no privilege escalation within Jenkins itself unless the intercepted data enables further attacks.
Mitigation
The vulnerability is fixed in Micro Focus Application Automation Tools Plugin version 6.8, released on or after April 7, 2021 [2]. Users should upgrade to this version or later immediately. The fix ensures proper certificate validation is performed, removing the unconditional trust behavior. There is no workaround available for older versions; upgrading is the only mitigation. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:hp-application-automation-tools-pluginMaven | < 6.8 | 6.8 |
Affected products
2- Micro Focus/Application Automation Tools Plugin - Jenkins plugindescription
Patches
1b286378aa22b[SECURITY-2176]
6 files changed · +21 −8
pom.xml+1 −1 modified@@ -489,7 +489,7 @@ <dependency> <groupId>com.microfocus.sv</groupId> <artifactId>SVConfigurator</artifactId> - <version>5.3</version> + <version>5.4.1</version> <exclusions> <exclusion> <groupId>commons-io</groupId>
src/main/java/com/microfocus/application/automation/tools/model/SvServerSettingsModel.java+7 −1 modified@@ -41,13 +41,15 @@ public class SvServerSettingsModel implements Serializable{ private final String name; private final String url; + private final boolean trustEveryone; private final String username; private final Secret password; @DataBoundConstructor - public SvServerSettingsModel(String name, String url, String username, Secret password) { + public SvServerSettingsModel(String name, String url, boolean trustEveryone, String username, Secret password) { this.name = StringUtils.trim(name); this.url = StringUtils.trim(url); + this.trustEveryone = trustEveryone; this.username = username; this.password = password; } @@ -64,6 +66,10 @@ public URL getUrlObject() throws MalformedURLException { return new URL(url); } + public boolean isTrustEveryone() { + return trustEveryone; + } + public String getUsername() { return username; }
src/main/java/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration.java+4 −2 modified@@ -139,12 +139,14 @@ public FormValidation doCheckPassword(@QueryParameter String value, @QueryParame @RequirePOST @SuppressWarnings("unused") - public FormValidation doTestConnection(@QueryParameter("url") final String url, @QueryParameter("username") final String username, + public FormValidation doTestConnection(@QueryParameter("url") final String url, + @QueryParameter("trustEveryone") final boolean trustEveryone, + @QueryParameter("username") final String username, @QueryParameter("password") final String password) { try { Jenkins.get().checkPermission(Jenkins.ADMINISTER); Credentials credentials = (!StringUtils.isBlank(username)) ? new Credentials(username, password) : null; - ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), credentials); + ICommandExecutor commandExecutor = new CommandExecutorFactory().createCommandExecutor(new URL(url), trustEveryone, credentials); ServerInfo serverInfo = commandExecutor.getClient().getServerInfo(); return FormValidation.ok("Validation passed. Connected to %s server of version: %s", serverInfo.getServerType(), serverInfo.getProductVersion()); } catch (Exception e) {
src/main/java/com/microfocus/application/automation/tools/sv/runner/AbstractSvRemoteRunner.java+2 −1 modified@@ -115,6 +115,7 @@ private void addServiceIfDeployed(String service, ArrayList<ServiceInfo> results } protected ICommandExecutor createCommandExecutor() throws Exception { - return new CommandExecutorFactory().createCommandExecutor(server.getUrlObject(), server.getCredentials()); + return new CommandExecutorFactory() + .createCommandExecutor(server.getUrlObject(), server.isTrustEveryone(), server.getCredentials()); } }
src/main/java/com/microfocus/application/automation/tools/sv/runner/AbstractSvRunBuilder.java+2 −2 modified@@ -91,8 +91,8 @@ public void perform(@Nonnull Run<?, ?> run, @Nonnull FilePath workspace, @Nonnul try { SvServerSettingsModel serverModel = getSelectedServerSettings(); - logger.printf("%nStarting %s for SV Server '%s' (%s as %s) on %s%n", getDescriptor().getDisplayName(), - serverModel.getName(), serverModel.getUrlObject(), serverModel.getUsername(), startDate); + logger.printf("%nStarting %s for SV Server '%s' (%s as %s, ignoreSslErrors=%s) on %s%n", getDescriptor().getDisplayName(), + serverModel.getName(), serverModel.getUrlObject(), serverModel.getUsername(), serverModel.isTrustEveryone(), startDate); logConfig(logger, " "); validateServiceSelection();
src/main/resources/com/microfocus/application/automation/tools/settings/SvServerSettingsGlobalConfiguration/config.jelly+5 −1 modified@@ -54,6 +54,10 @@ <f:textbox value="${srv.url}"/> </f:entry> + <f:entry title="${%Ignore SSL errors}" field="trustEveryone"> + <f:checkbox value="${srv.trustEveryone}"/> + </f:entry> + <f:entry title="${%User name}" field="username"> <f:textbox value="${srv.username}"/> </f:entry> @@ -64,7 +68,7 @@ <f:validateButton title="${%Test Connection}" progress="${%Testing...}" - method="testConnection" with="url,username,password"/> + method="testConnection" with="url,trustEveryone,username,password"/> <f:entry title=""> <div align="right">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
1- Jenkins Security Advisory 2021-04-07Jenkins Security Advisories · Apr 7, 2021