CVE-2020-2187

Name of the Vulnerable Software and Affected Versions Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier

Description The issue allows for man-in-the-middle attacks due to the unconditional acceptance of self-signed certificates and the lack of hostname validation when connecting to Windows agents via HTTPS. This could be exploited to intercept connections to build agents.

Recommendations For Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier, update to version 1.50.2 or later, which by default no longer accepts self-signed HTTPS certificates and performs hostname validation. Note that a new configuration option in version 1.50.2 allows restoring the previous, unsafe behavior, so it is recommended to avoid using this option to maintain the secure default settings.