CVE-2019-16546 – org.jenkins-ci.plugins:google-compute-engine

Package

Manager: maven
Name: org.jenkins-ci.plugins:google-compute-engine
Vulnerable Version: >=0 <4.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00045 pctl0.13049

Details

Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.

Metadata

Created: 2022-05-24T17:01:41Z
Modified: 2022-12-06T21:58:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-345p-pw5q-g98v/GHSA-345p-pw5q-g98v.json
CWE IDs: ["CWE-300", "CWE-639"]
Alternative ID: GHSA-345p-pw5q-g98v
Finding: F039
Auto approve: 1