Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNTRyLXc1ODctOTVxN84AA0qD
Jenkins Oracle Cloud Infrastructure Compute Plugin missing SSH host key validation
Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.
Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.
Permalink: https://github.com/advisories/GHSA-j54r-w587-95q7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNTRyLXc1ODctOTVxN84AA0qD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-j54r-w587-95q7, CVE-2023-37948
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-37948
- https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3044
- http://www.openwall.com/lists/oss-security/2023/07/12/2
- https://github.com/advisories/GHSA-j54r-w587-95q7
Affected Packages
maven:org.jenkins-ci.plugins:oracle-cloud-infrastructure-compute
Affected Version Ranges: < 1.0.17Fixed in: 1.0.17