CVE-2023-37948
Description
Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OCI Compute Plugin fails to validate SSH host keys, enabling man-in-the-middle attacks against OCI cloud connections.
Vulnerability
Jenkins Oracle Cloud Infrastructure Compute Plugin versions 1.0.16 and earlier do not validate SSH host keys when establishing connections to Oracle Cloud Infrastructure (OCI) clouds. This oversight means the plugin does not verify the identity of the remote server, allowing attackers to impersonate OCI endpoints [1][3].
Exploitation
An attacker with network access to the communication path between a Jenkins controller and an OCI cloud can perform a man-in-the-middle attack. No elevated privileges within Jenkins are required beyond the ability to configure OCI cloud connections. The attacker can intercept and modify SSH traffic, potentially capturing sensitive information or injecting malicious commands [2].
Impact
Successful exploitation allows the attacker to steal credentials used for OCI connections, access OCI resources, or manipulate data in transit. This compromises the confidentiality and integrity of the connected OCI environments.
Mitigation
The issue is fixed in Oracle Cloud Infrastructure Compute Plugin version 1.0.17. Users should upgrade immediately. No workarounds are available [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:oracle-cloud-infrastructure-computeMaven | < 1.0.17 | 1.0.17 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j54r-w587-95q7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37948ghsaADVISORY
- www.jenkins.io/security/advisory/2023-07-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/07/12/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-07-12Jenkins Security Advisories · Jul 12, 2023