Jenkins Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key validation when connecting to agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Jenkins Amazon EC2 Plugin 1.50.2 provides strategies for performing host key validation for administrators to select the one that meets their security needs. It includes assistance for administrators to migrate to a new, more secure strategy. For more information see [the plugin documentation](https://github.com/jenkinsci/ec2-plugin/#securing-the-connection-to-unix-amis).

Affected Packages

Maven org.jenkins-ci.plugins:ec2

Affected versions: 0 (fixed in 1.50.2)

Related CVEs

CVE-2020-2185

Key Information

GHSA ID

GHSA-q8qq-2p5p-rg44

Published

May 24, 2022 5:17 PM

Last Modified

December 14, 2023 9:28 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:ec2

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.