Описание
Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin
Amazon EC2 Plugin connects to Windows agents via HTTPS.
Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS certificates and performs hostname validation. A new configuration option allows restoring the previous, unsafe behavior. For more information see the plugin documentation.
Пакеты
org.jenkins-ci.plugins:ec2
<= 1.50.1
1.50.2
Связанные уязвимости
Jenkins Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.