Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ydjlnLTY3ZjctZ3JxN84AAjxm
Missing SSH host key validation in Mac Plugin
Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.
Permalink: https://github.com/advisories/GHSA-rv9g-67f7-grq7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydjlnLTY3ZjctZ3JxN84AAjxm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-rv9g-67f7-grq7, CVE-2020-2146
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2146
- https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1692
- http://www.openwall.com/lists/oss-security/2020/03/09/1
- https://github.com/jenkinsci/mac-plugin/commit/ba1a8206c7ef990d37498e5abdf210990ef046b5
- https://github.com/advisories/GHSA-rv9g-67f7-grq7
Blast Radius: 1.0
Affected Packages
maven:fr.edf.jenkins.plugins:mac
Affected Version Ranges: < 1.2.0Fixed in: 1.2.0