CVE-2019-16546

Name of the Vulnerable Software and Affected Versions Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier

Description The issue allows man-in-the-middle attacks due to the lack of SSH host key verification when connecting agents created by the plugin. This enables potential attackers to intercept and manipulate communications. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, update to version 4.2.0 or later, which verifies SSH host keys before executing any commands on agents.