Raihaan Shouhell

**Name of the Vulnerable Software and Affected Versions** Jenkins Role-based Authorization Strategy Plugin versions 3.0 and earlier **Description** The issue arises from the improper invalidation of a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration. This can lead to permissions being granted long after the configuration was changed to no longer grant them. **Recommendations** For Jenkins Role-based Authorization Strategy Plugin versions 3.0 and earlier, update to version 3.1 or newer to properly invalidate the cache on configuration changes.

**Name of the Vulnerable Software and Affected Versions** Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier **Description** The issue concerns a lack of SSH host key validation when connecting agents, which could enable man-in-the-middle attacks to intercept connections to build agents. This could potentially allow unauthorized access or manipulation of data. **Recommendations** For Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier, update to version 1.50.2 or later, which provides strategies for performing host key validation and assistance for migrating to a more secure strategy.

**Name of the Vulnerable Software and Affected Versions** Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier **Description** The issue allows for man-in-the-middle attacks due to the unconditional acceptance of self-signed certificates and the lack of hostname validation when connecting to Windows agents via HTTPS. This could be exploited to intercept connections to build agents. **Recommendations** For Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier, update to version 1.50.2 or later, which by default no longer accepts self-signed HTTPS certificates and performs hostname validation. Note that a new configuration option in version 1.50.2 allows restoring the previous, unsafe behavior, so it is recommended to avoid using this option to maintain the secure default settings.