GHSA-q8qq-2p5p-rg44
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q8qq-2p5p-rg44
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q8qq-2p5p-rg44/GHSA-q8qq-2p5p-rg44.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q8qq-2p5p-rg44
- Aliases
-
- CVE-2020-2185
- Published
- 2022-05-24T17:17:14Z
- Modified
- 2024-02-16T08:19:30.630862Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Missing SSH host key validation in Jenkins Amazon EC2 Plugin
- Details
-
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Jenkins Amazon EC2 Plugin 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs. It includes assistance for administrators to migrate to a new, more secure strategy. For more information see the plugin documentation.
- Database specific
{ "nvd_published_at": "2020-05-06T13:15:00Z", "cwe_ids": [ "CWE-300" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-16T22:55:37Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins:ec2
Package
- Name
- org.jenkins-ci.plugins:ec2
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/ec2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.50.2
Affected versions
1.*
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.40
1.40.1
1.41
1.41.1
1.42
1.42.1
1.42.2
1.43
1.44
1.44.1
1.45
1.46
1.46.1
1.46.2
1.46.3
1.46.4
1.47
1.48
1.49
1.49.1
1.49.2
1.49.3
1.50
1.50.1