5.6

CVSS Score

3.0

Basic Information

CVE ID

CVE-2020-2187

GHSA ID

GHSA-c89c-pvm7-33wj

EPSS Score

0.10079%

CWE

CWE-295

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2187

CVE-2020-2187: Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin

Amazon EC2 Plugin connects to Windows agents via HTTPS.

Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS certificates and performs hostname validation. A new configuration option allows restoring the previous, unsafe behavior. For more information see the plugin documentation.

(GitHub Advisory)

5.6

CVSS Score

3.0

Basic Information

CVE ID

CVE-2020-2187

GHSA ID

GHSA-c89c-pvm7-33wj

EPSS Score

0.10079%

CWE

CWE-295

Published

5/24/2022

Updated

12/20/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:ec2	maven	<= 1.50.1	1.50.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The WinRM client's SSL configuration lacked proper certificate validation, using TrustSelfSignedStrategy and disabling hostname verification. 2) The WindowsData class enforced acceptance of self-signed certificates by default through its constructor. The commit diff shows these were addressed by introducing a configuration flag and secure defaults in WinRMClient.java (using system trust store when allowSelfSignedCertificate=false) and WindowsData.java (requiring explicit opt-in for insecure behavior). The functions handling SSL configuration and certificate policy enforcement are clearly identified as the vulnerable points through code analysis of the security patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*m*zon *** Plu*in *onn**ts to Win*ows ***nts vi* *TTPS. *m*zon *** Plu*in *.**.* *n* **rli*r un*on*ition*lly ****pts s*l*-si*n** *TTPS **rti*i**t*s *n* *o*s not p*r*orm *ostn*m* v*li**tion w**n *onn**tin* to Win*ows ***nts. T*is l**k o* v*li**tion *

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** WinRM *li*nt's SSL *on*i*ur*tion l**k** prop*r **rti*i**t* v*li**tion, usin* `TrustS*l*Si*n**Str*t**y` *n* *is**lin* *ostn*m* v*ri*i**tion. *) T** `Win*ows**t*` *l*ss *n*or*** ****pt*n** o* s*l*-si*

5.6

Basic Information

Concerned about an active attack path?

CVE-2020-2187: Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin

5.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI