[MAVEN:GHSA-J54R-W587-95Q7] Jenkins Oracle Cloud Infrastructure Compute Plugin missing SSH host key validation

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.

Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/oracle-cloud-infrastructure-compute	< 1.0.17

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/oracle-cloud-infrastructure-compute	= 1.0.17

ID

MAVEN:GHSA-J54R-W587-95Q7

Severity

moderate

URL

https://github.com/advisories/GHSA-j54r-w587-95q7

Published

2023-07-12T18:30:38
(14 months ago)

Modified

2023-11-08T05:04:33
(10 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-3044

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-37948
			https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3044
			http://www.openwall.com/lists/oss-security/2023/07/12/2
			https://github.com/advisories/GHSA-j54r-w587-95q7

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/oracle-cloud-infrastructure-compute	org.jenkins-ci.plugins	oracle-cloud-infrastructure-compute	< 1.0.17
Fixed	pkg:maven/org.jenkins-ci.plugins/oracle-cloud-infrastructure-compute	org.jenkins-ci.plugins	oracle-cloud-infrastructure-compute	= 1.0.17

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date