Security Advisories

CloudBees Security Advisory2024-04-18

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

Jenkins

Terrapin SSH vulnerability in Jenkins CLI client

SECURITY-3386 / CVE-2023-48795

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N]

Description:

The CLI client (jenkins-cli.jar) in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection.

[!NOTE]

This only affects the Jenkins CLI client when using the -ssh connection mode, which is not the default.

[/]

The CLI client (jenkins-cli.jar) in Jenkins 2.452, LTS 2.440.3 bundles version 2.12.1 of the Apache MINA SSHD library, which is unaffected by this issue.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.440.3.7
  • CloudBees Cloud Platforms should be upgraded to 2.440.3.7

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed