Key Exchange without Entity Authentication

CVE-2022-36881

High

8.1/10

Summary

Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-322 - Key Exchange without Entity Authentication

The software performs a key exchange with an actor without verifying the identity of that actor.

References

Advisory Timeline

Published Jul 27, 2022

Key Exchange without Entity Authentication

CVE-2022-36881

Summary

CWE-322 - Key Exchange without Entity Authentication

References

Advisory Timeline

ChainJacking

DustiLock

ChainAlert