Description

A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.

Remediation

References

https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630

Related Vulnerabilities

CVE-2018-11047 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

CVE-2018-17192 Vulnerability in maven package org.apache.nifi:nifi-jetty-bundle

CVE-2017-1000502 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2018-1000665 Vulnerability in maven package org.webjars:dojo

CVE-2015-5344 Vulnerability in maven package org.apache.camel:camel-core

Severity

Medium

Classification

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory NVD-CWE-noinfo