[MAVEN:GHSA-C89C-PVM7-33WJ] Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Amazon EC2 Plugin connects to Windows agents via HTTPS.
Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS certificates and performs hostname validation. A new configuration option allows restoring the previous, unsafe behavior. For more information see the plugin documentation.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/ec2 | <= 1.50.1 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/ec2 | = 1.50.2 |
- ID
- MAVEN:GHSA-C89C-PVM7-33WJ
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-c89c-pvm7-33wj
- Published
-
2022-05-24T17:17:15
(2 years ago) - Modified
-
2023-12-20T13:30:15
(9 months ago) - Rights
- Maven Security Team
- Other Advisories
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |