Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

Affected Packages

Maven fr.edf.jenkins.plugins:mac

Affected versions: 0 (fixed in 1.2.0)

Related CVEs

CVE-2020-2146

Key Information

GHSA ID

GHSA-rv9g-67f7-grq7

Published

May 24, 2022 5:10 PM

Last Modified

January 14, 2023 5:24 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

fr.edf.jenkins.plugins:mac

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.