GHSA-345p-pw5q-g98v

Source

https://github.com/advisories/GHSA-345p-pw5q-g98v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-345p-pw5q-g98v/GHSA-345p-pw5q-g98v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-345p-pw5q-g98v

Aliases

CVE-2019-16546

Published

2022-05-24T17:01:41Z

Modified

2023-11-08T04:01:18.469409Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin

Details

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.

Database specific

{
    "github_reviewed_at": "2022-12-06T21:58:57Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-300",
        "CWE-639"
    ],
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:google-compute-engine

Package

Name: org.jenkins-ci.plugins:google-compute-engine; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/google-compute-engine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.0

Affected versions

1.*

1.0-beta-1

1.0-beta-2

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.10

2.*

2.0.0

3.*

3.0.0

3.1.0

3.1.1

3.2.0

3.3.0

3.3.1

3.3.2

3.4.0

4.*

4.0.0

4.1.0

4.1.1

Database specific

last_known_affected_version_range

"<= 4.1.1"