Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin

2022-05-2417:01:41

Google

osv.dev

0.001 Low

EPSS

Percentile

47.9%

JSON

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.

CPENameOperatorVersion
org.jenkins-ci.plugins:google-compute-engineeq1.0.0
org.jenkins-ci.plugins:google-compute-engineeq1.0-beta-1
org.jenkins-ci.plugins:google-compute-engineeq4.1.1
org.jenkins-ci.plugins:google-compute-engineeq1.0.1
org.jenkins-ci.plugins:google-compute-engineeq3.3.1
org.jenkins-ci.plugins:google-compute-engineeq1.0.7
org.jenkins-ci.plugins:google-compute-engineeq3.4.0
org.jenkins-ci.plugins:google-compute-engineeq4.1.0
org.jenkins-ci.plugins:google-compute-engineeq1.0.2
org.jenkins-ci.plugins:google-compute-engineeq1.0-beta-2

Name	Operator	Version
org.jenkins-ci.plugins:google-compute-engine	eq	1.0.0
org.jenkins-ci.plugins:google-compute-engine	eq	1.0-beta-1
org.jenkins-ci.plugins:google-compute-engine	eq	4.1.1
org.jenkins-ci.plugins:google-compute-engine	eq	1.0.1
org.jenkins-ci.plugins:google-compute-engine	eq	3.3.1
org.jenkins-ci.plugins:google-compute-engine	eq	1.0.7
org.jenkins-ci.plugins:google-compute-engine	eq	3.4.0
org.jenkins-ci.plugins:google-compute-engine	eq	4.1.0
org.jenkins-ci.plugins:google-compute-engine	eq	1.0.2
org.jenkins-ci.plugins:google-compute-engine	eq	1.0-beta-2