[JENKINS:SECURITY-381] Missing SSH host key validation in `ec2`

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

ec2 1.50.1 and earlier does not use SSH host key validation when connecting to agents.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

ec2 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs.
It includes assistance for administrators to migrate to a new, more secure strategy.
For more information see https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-unix-amis[the plugin documentation].

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/ec2	<= 1.50.1
pkg:github/jenkinsci/ec2-plugin	<= 1.50.1

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/ec2	= 1.50.2
pkg:github/jenkinsci/ec2-plugin	= 1.50.2

ID

JENKINS:SECURITY-381

Severity

medium

Published

2020-05-06T00:00:00
(4 years ago)

Modified

2020-05-06T00:00:00
(4 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-Q8QQ-2P5P-RG44

Source	# ID	Name	URL
Plugin repository		ec2 repository	https://github.com/jenkinsci/ec2-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/ec2	org.jenkins-ci.plugins	ec2	<= 1.50.1
Fixed	pkg:maven/org.jenkins-ci.plugins/ec2	org.jenkins-ci.plugins	ec2	= 1.50.2
Affected	pkg:github/jenkinsci/ec2-plugin	jenkinsci	ec2-plugin	<= 1.50.1
Fixed	pkg:github/jenkinsci/ec2-plugin	jenkinsci	ec2-plugin	= 1.50.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date