Key Exchange without Entity Authentication
CVE-2022-36881
Summary
Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-322 - Key Exchange without Entity Authentication
The software performs a key exchange with an actor without verifying the identity of that actor.
References
Advisory Timeline
- Published