Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jbTdqLXA4aGMtOTd2as4AAttG

Jenkins Git client plugin 3.11.0 does not perform SSH host key verification

Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client Plugin 3.11.1 provides strategies for performing host key verification for administrators to select the one that meets their security needs. For more information see the plugin documentation.

Permalink: https://github.com/advisories/GHSA-cm7j-p8hc-97vj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jbTdqLXA4aGMtOTd2as4AAttG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-cm7j-p8hc-97vj, CVE-2022-36881
References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-36881
• https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468
• http://www.openwall.com/lists/oss-security/2022/07/27/1
• https://github.com/jenkinsci/git-client-plugin/commit/88f52c6c9b18bca4ad210e3b9910a49433583fd9
• https://github.com/advisories/GHSA-cm7j-p8hc-97vj

Repository: https://github.com/jenkinsci/git-client-plugin
Blast Radius: 1.0

Affected Packages