CVE-2020-2185 – org.jenkins-ci.plugins:ec2

Package

Manager: maven
Name: org.jenkins-ci.plugins:ec2
Vulnerable Version: >=0 <1.50.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.001 pctl0.2837

Details

Missing SSH host key validation in Jenkins Amazon EC2 Plugin Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. Jenkins Amazon EC2 Plugin 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs. It includes assistance for administrators to migrate to a new, more secure strategy. For more information see [the plugin documentation](https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-unix-amis).

Metadata

Created: 2022-05-24T17:17:14Z
Modified: 2023-12-14T09:28:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q8qq-2p5p-rg44/GHSA-q8qq-2p5p-rg44.json
CWE IDs: ["CWE-300"]
Alternative ID: GHSA-q8qq-2p5p-rg44
Finding: F332
Auto approve: 1