[JENKINS:SECURITY-3386] Terrapin SSH vulnerability in Jenkins CLI client

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

The CLI client (jenkins-cli.jar) in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to https://www.cve.org/CVERecord?id=CVE-2023-48795[CVE-2023-48795] (https://en.wikipedia.org/wiki/Terrapin_attack[Terrapin attack]).
This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection.

NOTE: This only affects the Jenkins CLI client when using the -ssh connection mode, which is not the default.

The CLI client (jenkins-cli.jar) in Jenkins 2.452, LTS 2.440.3 bundles version 2.12.1 of the Apache MINA SSHD library, which is unaffected by this issue.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/jenkins-core	<= 2.451
pkg:github/jenkinsci/jenkins	<= 2.451

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/jenkins-core	= 2.452
pkg:github/jenkinsci/jenkins	= 2.452

ID

JENKINS:SECURITY-3386

Severity

medium

Published

2024-04-17T00:00:00
(5 months ago)

Modified

2024-04-17T00:00:00
(5 months ago)

Rights

Jenkins Security Team

Other Advisories

Source	# ID	Name	URL
Repository		Jenkins repository	https://github.com/jenkinsci/jenkins

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/jenkins-core	org.jenkins-ci.plugins	jenkins-core	<= 2.451
Fixed	pkg:maven/org.jenkins-ci.plugins/jenkins-core	org.jenkins-ci.plugins	jenkins-core	= 2.452
Affected	pkg:github/jenkinsci/jenkins	jenkinsci	jenkins	<= 2.451
Fixed	pkg:github/jenkinsci/jenkins	jenkinsci	jenkins	= 2.452

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date