[JENKINS:SECURITY-381] Missing SSH host key validation in `ec2`
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
ec2
1.50.1 and earlier does not use SSH host key validation when connecting to agents.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
ec2
1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs.
It includes assistance for administrators to migrate to a new, more secure strategy.
For more information see https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-unix-amis[the plugin documentation].
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/ec2 | <= 1.50.1 |
pkg:github/jenkinsci/ec2-plugin | <= 1.50.1 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/ec2 | = 1.50.2 |
pkg:github/jenkinsci/ec2-plugin | = 1.50.2 |
- ID
- JENKINS:SECURITY-381
- Severity
- medium
- Published
-
2020-05-06T00:00:00
(4 years ago) - Modified
-
2020-05-06T00:00:00
(4 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | ec2 repository | https://github.com/jenkinsci/ec2-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/ec2 | org.jenkins-ci.plugins | ec2 | <= 1.50.1 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/ec2 | org.jenkins-ci.plugins | ec2 | = 1.50.2 | |||
Affected | pkg:github/jenkinsci/ec2-plugin | jenkinsci | ec2-plugin | <= 1.50.1 | |||
Fixed | pkg:github/jenkinsci/ec2-plugin | jenkinsci | ec2-plugin | = 1.50.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |