GHSA-322x-jv5h-cvjh

Source

https://github.com/advisories/GHSA-322x-jv5h-cvjh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-322x-jv5h-cvjh/GHSA-322x-jv5h-cvjh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-322x-jv5h-cvjh

Aliases

CVE-2018-1000149

Published

2022-05-13T01:18:44Z

Modified

2024-12-03T06:08:12.015115Z

Severity

5.6 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Jenkins Ansible Plugin man in the middle vulnerability

Details

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out.

Database specific

{
    "nvd_published_at": "2018-04-05T13:29:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:53:17Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:ansible

Package

Name: org.jenkins-ci.plugins:ansible; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.5

0.6.1

0.6.2

0.8

Database specific

{
    "last_known_affected_version_range": "<= 0.8"
}