First published: Wed May 06 2020(Updated: )
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Amazon Ec2 | <=1.50.1 | |
maven/org.jenkins-ci.plugins:ec2 | <=1.50.1 | 1.50.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-2187 is medium.
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates.
No, Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not perform hostname validation when connecting to Windows agents.
The lack of validation in Jenkins Amazon EC2 Plugin 1.50.1 and earlier could be abused through a man-in-the-middle attack.
To fix CVE-2020-2187, update to version 1.50.2 of Jenkins Amazon EC2 Plugin or later.