PT-2023-26195 · Oracle+1 · Jenkins Oracle Cloud Infrastructure Compute Classic Plugin+1

Yaroslav Afenkin

Published

2023-07-12

Updated

2023-07-20

CVE-2023-37948

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Oracle Cloud Infrastructure Compute Plugin versions 1.0.16 and earlier

Description The issue concerns the lack of SSH host key validation when connecting to OCI clouds, which could enable man-in-the-middle attacks. This allows for the interception of connections to OCI clouds. The Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation.

Recommendations For versions 1.0.16 and earlier, update to version 1.0.17 or later, which provides strategies for performing host key validation. As a temporary workaround, consider restricting access to the OCI clouds until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2023-37948

GHSA-J54R-W587-95Q7

Affected Products

Jenkins

Jenkins Oracle Cloud Infrastructure Compute Classic Plugin

CVE-2023-37948

Weakness Enumeration

Related Identifiers

Affected Products

References · 7