Lucene search
GoogleOSV:GHSA-C89C-PVM7-33WJHistoryMay 24, 2022 - 5:17 p.m.
Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin
2022-05-2417:17:15
Google
osv.dev
15
amazon ec2
plugin
ssl/tls
certificate
hostname validation
windows agents
https
man-in-the-middle attack
configuration option
security.
EPSS
0.001
Percentile
31.1%
Amazon EC2 Plugin connects to Windows agents via HTTPS.
Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed HTTPS certificates and does not perform hostname validation when connecting to Windows agents. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.
Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS certificates and performs hostname validation. A new configuration option allows restoring the previous, unsafe behavior. For more information see the plugin documentation.
Related
cvelist
cvelist
CVE-2020-2187
2020-05-06 12:45:25
prion
prion
Input validation
2020-05-06 13:15:00
nvd
nvd
CVE-2020-2187
2020-05-06 13:15:14
github
github
Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin
2022-05-24 17:17:15
cve
cve
CVE-2020-2187
2020-05-06 13:15:14