Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNDVwLXB3NXEtZzk4ds4AAiva
Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin
Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.
Permalink: https://github.com/advisories/GHSA-345p-pw5q-g98vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNDVwLXB3NXEtZzk4ds4AAiva
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-345p-pw5q-g98v, CVE-2019-16546
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16546
- https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1584
- http://www.openwall.com/lists/oss-security/2019/11/21/1
- https://github.com/advisories/GHSA-345p-pw5q-g98v
Affected Packages
maven:org.jenkins-ci.plugins:google-compute-engine
Versions: <= 4.1.1Fixed in: 4.2.0