Description
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default.
Remediation
References
https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630
Related Vulnerabilities
CVE-2014-0227 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2020-8823 Vulnerability in npm package sockjs
CVE-2022-42125 Vulnerability in maven package com.liferay.portal:com.liferay.portal.impl
CVE-2020-5421 Vulnerability in maven package org.springframework:spring-web
CVE-2020-25633 Vulnerability in maven package org.jboss.resteasy:resteasy-client