Description

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.

Remediation

References

https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630

Related Vulnerabilities

CVE-2020-5408 Vulnerability in maven package org.springframework.security:spring-security-crypto

CVE-2023-34047 Vulnerability in maven package org.springframework.graphql:spring-graphql

CVE-2018-5158 Vulnerability in maven package org.webjars.bower:pdfjs-dist

CVE-2023-36471 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2020-2289 Vulnerability in maven package org.biouno:uno-choice

Severity

Medium

Classification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory NVD-CWE-noinfo