CVE-2018-1000149

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Plugin versions 0.8 and older

Description A man in the middle issue exists due to the disabling of host key verification by default in several Java files, including AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, and AnsiblePlaybookStep.java. This issue is resolved in version 1.0 of the Ansible Plugin, which enables host key verification by default and provides options for users to opt out.

Recommendations For Jenkins Ansible Plugin versions 0.8 and older, update to version 1.0 or newer to enable host key verification by default. As a temporary workaround, consider configuring the plugin to enable host key verification manually until a patch is available.