oss-sec mailing list archives
Terrapin vulnerability in Jenkins CLI client
From: Daniel Beck <ml () beckweb net>
Date: Wed, 17 Apr 2024 18:35:21 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Jenkins 2.452 * Jenkins LTS 2.440.3 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2024-04-17/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-3386 / CVE-2023-48795 The CLI client (`jenkins-cli.jar`) in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection. NOTE: This only affects the Jenkins CLI client when using the `-ssh` connection mode, which is not the default.
Current thread:
- Terrapin vulnerability in Jenkins CLI client Daniel Beck (Apr 17)