Bug 2114755 (CVE-2022-36881)

Summary: CVE-2022-36881 jenkins-plugin: Man-in-the-Middle (MitM) in org.jenkins-ci.plugins:git-client
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, bmontgom, eparis, jburrell, nstielau, spandura, sponnaga, vkumar, ymittal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: git-client 3.11.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Git-Client Jenkins plugin. The affected versions of the Jenkins Git client Plugin do not perform SSH host key verification when connecting to Git repositories via SSH, enabling Man-in-the-middle attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 12:32:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2114756, 2114757, 2114758, 2114759, 2114760, 2114761    
Bug Blocks: 2114688, 2119640    

Description Avinash Hanwate 2022-08-03 08:38:33 UTC 
Jenkins Git client Plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks.

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1468
Comment 7 errata-xmlrpc 2022-11-17 22:49:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:7865 https://access.redhat.com/errata/RHSA-2022:7865
Comment 8 Product Security DevOps Team 2022-12-07 12:32:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-36881
Comment 9 errata-xmlrpc 2023-01-12 16:46:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2023:0017 https://access.redhat.com/errata/RHSA-2023:0017