Miggo Logo

CVE-2020-2146: Missing SSH host key validation in Mac Plugin

6.8

CVSS Score
3.1

Basic Information

EPSS Score
0.08211%
Published
5/24/2022
Updated
12/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fr.edf.jenkins.plugins:macmaven< 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing SSH host key validation during connection establishment. The commit diff shows:

  1. Addition of host key validation checks ('doCheckKey' method)
  2. Restructuring of connection verification logic
  3. Security-related UI improvements in configuration

Key indicators:

  • The 'verifyConnection' method in config.groovy handles connection testing
  • Pre-patch versions didn't validate the host key parameter properly
  • CWE-347 directly maps to missing cryptographic signature verification
  • Patch added validation logic that would have been absent in vulnerable versions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M** Plu*in *.*.* *n* **rli*r *o*s not us* SS* *ost k*y v*li**tion w**n *onn**tin* to M** *lou* *ost l*un**** *y t** plu*in. T*is l**k o* v*li**tion *oul* ** **us** usin* * m*n-in-t**-mi**l* *tt**k to int*r**pt t**s* *onn**tions to *uil* ***nts. M**

Reasoning

T** vuln*r**ility st*ms *rom missin* SS* *ost k*y v*li**tion *urin* *onn**tion *st**lis*m*nt. T** *ommit *i** s*ows: *. ***ition o* *ost k*y v*li**tion ****ks ('*o****kK*y' m*t*o*) *. R*stru*turin* o* *onn**tion v*ri*i**tion lo*i* *. S**urity-r*l*t*