CVE-2019-16546
Description
Jenkins Google Compute Engine Plugin 4.1.1 and earlier fails to verify SSH host keys, enabling man-in-the-middle attacks when connecting agents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Compute Engine Plugin 4.1.1 and earlier fails to verify SSH host keys, enabling man-in-the-middle attacks when connecting agents.
Vulnerability
Overview
CVE-2019-16546 is a security flaw in the Jenkins Google Compute Engine Plugin, versions 4.1.1 and earlier. The plugin does not verify SSH host keys when connecting to agents it creates, a critical omission that undermines the security of SSH-based connections. By skipping host key verification, the plugin cannot authenticate the identity of the remote agent, leaving the connection vulnerable to interception and impersonation [1][2].
Attack
Vector and Exploitation
An attacker with network access to the communication path between a Jenkins controller and a Google Compute Engine agent can exploit this weakness through a man-in-the-middle (MITM) attack. Without host key verification, the attacker can interpose themselves between the controller and the agent, presenting a forged host key. Because the plugin does not validate the key against a known set of trusted keys, it will accept the connection as legitimate, allowing the attacker to intercept, modify, or inject data in transit [1][2][3].
Impact
Successful exploitation enables the attacker to eavesdrop on all communications between Jenkins and the agent, potentially gaining access to sensitive build data, credentials, and configuration details. Moreover, the attacker could inject malicious commands or modify build artifacts, leading to arbitrary code execution on the Jenkins controller or on the agent machines. The impact is considered high, as it compromises the integrity and confidentiality of Jenkins operations [1][2].
Mitigation
The issue was addressed in Google Compute Engine Plugin version 4.2.0, released on November 21, 2019, alongside several other security fixes for Jenkins plugins [1][3]. Users should immediately upgrade the plugin to version 4.2.0 or later. There is no workaround short of disabling the plugin; therefore, upgrading is strongly recommended to prevent MITM attacks.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-compute-engineMaven | < 4.2.0 | 4.2.0 |
Affected products
2- Range: 4.1.1 and earlier
Patches
139153c58a403[maven-release-plugin] prepare release google-compute-engine-4.2.0
1 file changed · +2 −2
pom.xml+2 −2 modified@@ -23,7 +23,7 @@ </parent> <artifactId>google-compute-engine</artifactId> - <version>4.2.0-SNAPSHOT</version> + <version>4.2.0</version> <packaging>hpi</packaging> <name>Google Compute Engine Plugin</name> @@ -63,7 +63,7 @@ <connection>scm:git:ssh://github.com/jenkinsci/google-compute-engine-plugin.git</connection> <developerConnection>scm:git:ssh://git@github.com/jenkinsci/google-compute-engine-plugin.git</developerConnection> <url>https://github.com/jenkinsci/google-compute-engine-plugin</url> - <tag>HEAD</tag> + <tag>google-compute-engine-4.2.0</tag> </scm> <properties>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-345p-pw5q-g98vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16546ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/11/21/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2019-11-21/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.