6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2146

GHSA ID

GHSA-rv9g-67f7-grq7

EPSS Score

0.08211%

CWE

CWE-347

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2146

CVE-2020-2146: Missing SSH host key validation in Mac Plugin

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2146

GHSA ID

GHSA-rv9g-67f7-grq7

EPSS Score

0.08211%

CWE

CWE-347

Published

5/24/2022

Updated

12/13/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fr.edf.jenkins.plugins:mac	maven	< 1.2.0	1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing SSH host key validation during connection establishment. The commit diff shows:

Addition of host key validation checks ('doCheckKey' method)
Restructuring of connection verification logic
Security-related UI improvements in configuration

Key indicators:

The 'verifyConnection' method in config.groovy handles connection testing
Pre-patch versions didn't validate the host key parameter properly
CWE-347 directly maps to missing cryptographic signature verification
Patch added validation logic that would have been absent in vulnerable versions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M** Plu*in *.*.* *n* **rli*r *o*s not us* SS* *ost k*y v*li**tion w**n *onn**tin* to M** *lou* *ost l*un**** *y t** plu*in. T*is l**k o* v*li**tion *oul* ** **us** usin* * m*n-in-t**-mi**l* *tt**k to int*r**pt t**s* *onn**tions to *uil* ***nts. M**

Reasoning

T** vuln*r**ility st*ms *rom missin* SS* *ost k*y v*li**tion *urin* *onn**tion *st**lis*m*nt. T** *ommit *i** s*ows: *. ***ition o* *ost k*y v*li**tion ****ks ('*o****kK*y' m*t*o*) *. R*stru*turin* o* *onn**tion v*ri*i**tion lo*i* *. S**urity-r*l*t*

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-2146: Missing SSH host key validation in Mac Plugin

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI