1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3333

[JENKINS:SECURITY-3333] Terrapin SSH vulnerability in `trilead-api`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

trilead-api bundles the https://github.com/jenkinsci/trilead-ssh2/[Jenkins project's fork of the Trilead SSH2 library] for use by other plugins.

trilead-api 2.133.vfb_8a_7b_9c5dd1 and earlier, except 2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to https://www.cve.org/CVERecord?id=CVE-2023-48795[CVE-2023-48795] (https://en.wikipedia.org/wiki/Terrapin_attack[Terrapin]).
This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection.

trilead-api 2.141.v284120fd0c46 updates the bundled Jenkins/Trilead SSH2 library to version build-217-jenkins-274.276.v58da_75159cb_7, which by default removes the affected ciphers and encryption modes.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/trilead-api <= 2.133.vfb_8a_7b_9c5dd1
pkg:github/jenkinsci/trilead-api-plugin <= 2.133.vfb_8a_7b_9c5dd1
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/trilead-api = 2.141.v284120fd0c46
pkg:github/jenkinsci/trilead-api-plugin = 2.141.v284120fd0c46
ID
JENKINS:SECURITY-3333
Severity
medium
Published
2024-03-06T00:00:00
(6 months ago)
Modified
2024-03-06T00:00:00
(6 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository trilead-api repository https://github.com/jenkinsci/trilead-api-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/trilead-api org.jenkins-ci.plugins trilead-api <= 2.133.vfb_8a_7b_9c5dd1
Fixed pkg:maven/org.jenkins-ci.plugins/trilead-api org.jenkins-ci.plugins trilead-api = 2.141.v284120fd0c46
Affected pkg:github/jenkinsci/trilead-api-plugin jenkinsci trilead-api-plugin <= 2.133.vfb_8a_7b_9c5dd1
Fixed pkg:github/jenkinsci/trilead-api-plugin jenkinsci trilead-api-plugin = 2.141.v284120fd0c46
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date