CVE-2020-2185

Description

Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. Jenkins Amazon EC2 Plugin 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs. It includes assistance for administrators to migrate to a new, more secure strategy. For more information see [the plugin documentation](https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-unix-amis).

How to fix CVE-2020-2185

To remediate CVE-2020-2185, upgrade the affected package to a fixed version below.

• —upgrade to 1.50.2 or later

Is CVE-2020-2185 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.50.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2185
• PATCHgithub.com/jenkinsci/ec2-plugin
• WEBgithub.com/jenkinsci/ec2-plugin/commit/4c9f03ae202e4730fd54eda40771fa4d3873e358
• WEBjenkins.io/security/advisory/2020-05-06/#SECURITY-381