PT-2018-9321 · Jenkins · Jenkins Ansible Plugin+1

Daniel Beck

Publicado

2018-04-05

Atualizado

2022-05-13

CVE-2018-1000149

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Plugin versions 0.8 and older

Description A man in the middle issue exists due to the disabling of host key verification by default in several Java files, including AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, and AnsiblePlaybookStep.java. This issue is resolved in version 1.0 of the Ansible Plugin, which enables host key verification by default and provides options for users to opt out.

Recommendations For Jenkins Ansible Plugin versions 0.8 and older, update to version 1.0 or newer to enable host key verification by default. As a temporary workaround, consider configuring the plugin to enable host key verification manually until a patch is available.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2018-1000149

GHSA-322X-JV5H-CVJH

Produtos afetados

Jenkins

Jenkins Ansible Plugin

PT-2018-9321 · Jenkins · Jenkins Ansible Plugin+1

CVE-2018-1000149

Identificadores relacionados

Produtos afetados

Referências · 5