Maven package
org.jenkins-ci.plugins/ec2
pkg:maven/org.jenkins-ci.plugins/ec2
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-2188 | — | < 1.50.2 | 1.50.2 | May 6, 2020 | A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. | ||
| CVE-2020-2187 | — | < 1.50.2 | 1.50.2 | May 6, 2020 | Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks. | ||
| CVE-2020-2186 | — | < 1.50.2 | 1.50.2 | May 6, 2020 | A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances. | ||
| CVE-2020-2185 | — | < 1.50.2 | 1.50.2 | May 6, 2020 | Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks. | ||
| CVE-2020-2090 | — | < 1.48 | 1.48 | Jan 15, 2020 | A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | ||
| CVE-2020-2091 | — | < 1.48 | 1.48 | Jan 15, 2020 | A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. | ||
| CVE-2019-10364 | — | < 1.44 | 1.44 | Jul 31, 2019 | Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | ||
| CVE-2017-1000502 | — | < 1.38 | 1.38 | Jan 24, 2018 | Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission |
- CVE-2020-2188May 6, 2020affected < 1.50.2fixed 1.50.2
A missing permission check in Jenkins Amazon EC2 Plugin 1.50.1 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
- CVE-2020-2187May 6, 2020affected < 1.50.2fixed 1.50.2
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.
- CVE-2020-2186May 6, 2020affected < 1.50.2fixed 1.50.2
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances.
- CVE-2020-2185May 6, 2020affected < 1.50.2fixed 1.50.2
Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.
- CVE-2020-2090Jan 15, 2020affected < 1.48fixed 1.48
A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
- CVE-2020-2091Jan 15, 2020affected < 1.48fixed 1.48
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
- CVE-2019-10364Jul 31, 2019affected < 1.44fixed 1.44
Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log.
- CVE-2017-1000502Jan 24, 2018affected < 1.38fixed 1.38
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission