Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xOHFxLTJwNXAtcmc0NM4AAknX
Missing SSH host key validation in Jenkins Amazon EC2 Plugin
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Jenkins Amazon EC2 Plugin 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs. It includes assistance for administrators to migrate to a new, more secure strategy. For more information see the plugin documentation.
Permalink: https://github.com/advisories/GHSA-q8qq-2p5p-rg44JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xOHFxLTJwNXAtcmc0NM4AAknX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.6
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-q8qq-2p5p-rg44, CVE-2020-2185
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2185
- https://jenkins.io/security/advisory/2020-05-06/#SECURITY-381
- http://www.openwall.com/lists/oss-security/2020/05/06/3
- https://github.com/jenkinsci/ec2-plugin/commit/4c9f03ae202e4730fd54eda40771fa4d3873e358
- https://github.com/advisories/GHSA-q8qq-2p5p-rg44
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:ec2
Affected Version Ranges: <= 1.50.1Fixed in: 1.50.2