Man-in-the-Middle Vulnerability in Jenkins SSH Slaves Plugin by CloudBees
CVE-2017-2648

6.8MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins-ssh-slaves-plugin
Vendor
CVE Published:
27 July 2018
đź”” Create Jenkins Vulnerability Alert

What is CVE-2017-2648?

The Jenkins SSH Slaves Plugin prior to version 1.15 lacks proper host key verification during SSH connections. This oversight allows attackers to execute Man-in-the-Middle attacks, potentially compromising sensitive data exchanged between the server and a connected slave. Ensuring host key verification is critical for maintaining the integrity and confidentiality of data transmissions in Jenkins environments.

Affected Version(s)

jenkins-ssh-slaves-plugin 1.15

References

http://www.securityfocus.com/bid/96985
vdb-entryx_refsource_BID
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2648
x_refsource_CONFIRM
https://jenkins.io/security/advisory/2017-03-20/
x_refsource_CONFIRM

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.