CVE-2019-10364 — Jenkins Amazon EC2 Plugin leaked beginning of private key in system log

Description

Jenkins Amazon EC2 Plugin printed a log message that contained the beginning of the private key to the Jenkins system log. The log message no longer includes the beginning of the private key.

How to fix CVE-2019-10364

To remediate CVE-2019-10364, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:ec2—upgrade to 1.44 or later

Is CVE-2019-10364 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.44

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10364
WEBgithub.com/jenkinsci/ec2-plugin/commit/78c3c49a227ac8eccb8b1be7193d5605363fe251
WEBjenkins.io/security/advisory/2019-07-31/#SECURITY-673
WEBwww.openwall.com/lists/oss-security/2019/07/31/1