GHSA-345p-pw5q-g98v

Suggest an improvement
Source
https://github.com/advisories/GHSA-345p-pw5q-g98v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-345p-pw5q-g98v/GHSA-345p-pw5q-g98v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-345p-pw5q-g98v
Aliases
Published
2022-05-24T17:01:41Z
Modified
2023-11-08T04:01:18.469409Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin
Details

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.

References

Affected packages

Maven / org.jenkins-ci.plugins:google-compute-engine

Package

Name
org.jenkins-ci.plugins:google-compute-engine
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/google-compute-engine

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.0

Affected versions

1.*

1.0-beta-1
1.0-beta-2
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.10

2.*

2.0.0

3.*

3.0.0
3.1.0
3.1.1
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0

4.*

4.0.0
4.1.0
4.1.1

Database specific

{
    "last_known_affected_version_range": "<= 4.1.1"
}