{"id":"CVE-2017-1000397","details":"Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons-httpclient library with the vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making it susceptible to man-in-the-middle attacks. Maven Plugin 3.0 no longer has a dependency on commons-httpclient.","aliases":["GHSA-qhxw-54m9-6wwc"],"modified":"2026-04-10T03:56:04.933907Z","published":"2018-01-26T02:29:00.970Z","references":[{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2017-10-11/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/maven-plugin","events":[{"introduced":"0"},{"last_affected":"77e94605b31c5ea41914e5105f77831d397e7132"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.17"}]}}],"versions":["maven-plugin-2.0","maven-plugin-2.0-beta-1","maven-plugin-2.1","maven-plugin-2.10","maven-plugin-2.11","maven-plugin-2.12","maven-plugin-2.12.1","maven-plugin-2.13","maven-plugin-2.14","maven-plugin-2.15","maven-plugin-2.15.1","maven-plugin-2.16","maven-plugin-2.17","maven-plugin-2.2","maven-plugin-2.3","maven-plugin-2.4","maven-plugin-2.5","maven-plugin-2.6","maven-plugin-2.7","maven-plugin-2.7.1","maven-plugin-2.8","maven-plugin-2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000397.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}