Primary

Context

Jenkins SSH-Slave Docker Images Host Key Reuse Vulnerability

Vulnerability

Patched

A vulnerability exists in Jenkins SSH-Slave Docker images based on Debian, where SSH host keys are generated during image creation. This leads to all containers from the same image version using identical SSH host keys. Consequently, an attacker who can intercept the network path between the SSH client and the SSH build agent can impersonate the agent. This issue affects Jenkins SSH-Slave images up to and including all versions.

Impact

Exploitation of this vulnerability allows for impersonation of the SSH build agent, potentially leading to unauthorized actions or access during the build process.

Remediation

Users of Jenkins SSH-Slave Docker images should switch to the Jenkins SSH-Agent Docker images, which are actively maintained. The SSH-Agent images version 6.11.2 and later include the necessary fix. For those already using Jenkins SSH-Agent, ensure the version is 6.11.2 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

6.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

6.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins SSH-Slave Docker Images Host Key Reuse Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins ssh-agent

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating