CVE-2023-37948 — Jenkins Oracle Cloud Infrastructure Compute Plugin missing SSH host key validati

Description

Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds. Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.

How to fix CVE-2023-37948

To remediate CVE-2023-37948, upgrade the affected package to a fixed version below.

—upgrade to 1.0.17 or later

Is CVE-2023-37948 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-37948
WEBwww.jenkins.io/security/advisory/2023-07-12/#SECURITY-3044
WEBwww.openwall.com/lists/oss-security/2023/07/12/2