CVE-2019-16546

CWE-639 — Insecure Direct Object Reference CWE-3005 documents5 sources

Severity

5.9MEDIUM

EPSS

0.0%

top 86.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Google Compute Engine Jenkins Project Jenkins Google Compute Engine Plugin

Timeline

PublishedNov 21

Latest updateMay 24

Description

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:google-compute-engine< 4.2.0

▶CVEListV5jenkins_project/jenkins_google_compute_engine_plugin4.1.1 and earlier

▶NVDjenkins/google_compute_engine< 4.2.0

🔴Vulnerability Details

GHSA

Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin↗2022-05-24

▶

OSV

Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin↗2022-05-24

▶

CVEList

CVE-2019-16546: Jenkins Google Compute Engine Plugin 4↗2019-11-21

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2019-11-21↗2019-11-21

▶