Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jbTdqLXA4aGMtOTd2as4AAttG
Jenkins Git client plugin 3.11.0 does not perform SSH host key verification
Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client Plugin 3.11.1 provides strategies for performing host key verification for administrators to select the one that meets their security needs. For more information see the plugin documentation.
Permalink: https://github.com/advisories/GHSA-cm7j-p8hc-97vjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jbTdqLXA4aGMtOTd2as4AAttG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-cm7j-p8hc-97vj, CVE-2022-36881
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-36881
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468
- http://www.openwall.com/lists/oss-security/2022/07/27/1
- https://github.com/jenkinsci/git-client-plugin/commit/88f52c6c9b18bca4ad210e3b9910a49433583fd9
- https://github.com/advisories/GHSA-cm7j-p8hc-97vj
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:git-client
Affected Version Ranges: <= 3.11.0Fixed in: 3.11.1