PT-2019-14701 · Jenkins · Jenkins Google Compute Engine Plugin+1
Matt Sicker
·
Published
2019-11-21
·
Updated
2023-10-25
·
CVE-2019-16546
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier
Description
The issue allows man-in-the-middle attacks due to the lack of SSH host key verification when connecting agents created by the plugin. This enables potential attackers to intercept and manipulate communications. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.
Recommendations
For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, update to version 4.2.0 or later, which verifies SSH host keys before executing any commands on agents.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Google Compute Engine Plugin