Description
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.
Remediation
References
https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630
Related Vulnerabilities
CVE-2014-3742 Vulnerability in npm package hapi
CVE-2022-45787 Vulnerability in maven package org.apache.james:apache-mime4j-storage
CVE-2019-10212 Vulnerability in maven package io.undertow:undertow-core
CVE-2022-42252 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2022-41704 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge