CVE-2020-2187

Description

Amazon EC2 Plugin connects to Windows agents via HTTPS. Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents. Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS certificates and performs hostname validation. A new configuration option allows restoring the previous, unsafe behavior. For more information see [the plugin documentation](https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-windows-amis).

How to fix CVE-2020-2187

To remediate CVE-2020-2187, upgrade the affected package to a fixed version below.

• —upgrade to 1.50.2 or later

Is CVE-2020-2187 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.50.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2187
• PATCHgithub.com/jenkinsci/ec2-plugin
• WEBgithub.com/jenkinsci/ec2-plugin/commit/4c9f03ae202e4730fd54eda40771fa4d3873e358
• WEBjenkins.io/security/advisory/2020-05-06/#SECURITY-1528