GHSA-cm7j-p8hc-97vj

Suggest an improvement
Source
https://github.com/advisories/GHSA-cm7j-p8hc-97vj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cm7j-p8hc-97vj/GHSA-cm7j-p8hc-97vj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cm7j-p8hc-97vj
Aliases
Published
2022-07-28T00:00:43Z
Modified
2024-01-05T16:47:03.220027Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins Git client plugin 3.11.0 does not perform SSH host key verification
Details

Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client Plugin 3.11.1 provides strategies for performing host key verification for administrators to select the one that meets their security needs. For more information see the plugin documentation.

References

Affected packages

Maven / org.jenkins-ci.plugins:git-client

Package

Name
org.jenkins-ci.plugins:git-client
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/git-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.11.1

Affected versions

1.*

1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.7.0
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
1.10.0
1.10.1
1.10.2
1.11.0
1.11.1
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.1
1.17.0
1.17.1
1.18.0
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.20.0-beta1
1.20.0-beta2
1.20.0-beta3
1.20.2
1.21.0

2.*

2.0.0-beta1
2.0.0-beta2
2.0.0-beta3
2.0.0-beta4
2.0.0
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.4.2
2.4.4
2.4.5
2.4.6
2.5.0
2.6.0
2.7.0
2.7.1
2.7.2
2.7.3
2.7.3.1
2.7.4
2.7.4.1
2.7.5
2.7.6
2.7.7
2.7.7.1
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.9.0

3.*

3.0.0-beta1
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-beta5
3.0.0-beta6
3.0.0-beta7
3.0.0-beta8
3.0.0-beta9
3.0.0-beta10
3.0.0-beta11
3.0.0-beta12
3.0.0-rc
3.0.0
3.1.0-beta
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.5.0
3.5.1
3.6.0
3.7.0
3.7.1
3.7.2
3.8.0
3.9.0
3.10.0
3.10.0.1
3.10.0.2
3.10.1
3.11.0

Database specific

{
    "last_known_affected_version_range": "<= 3.11.0"
}