RELEASED: Public: July 27, 2022
- Git client plugin versions prior to 3.11.1 are vulnerable to man-in-the-middle attacks (BEE-21945)
Git client plugin versions prior to version 3.11.1 are vulnerable to man-in-the-middle attacks. Additionally, because the CloudBees Git Validated Merge plugin uses the Git client plugin to provide an SSH connection, it is also vulnerable.
This issue has been resolved. The Git client plugin now lets you select from the following options to verify the SSH keys that are presented by the Git repository host servers:
Accept first connection strategy (default) - Automatically adds keys to the
known_hostsfile for hosts that have not been seen before. This option prevents connections to previously seen hosts, if the keys have been modified.
Known hosts file - This option verifies that all host keys use the
Manually provided keys - This option verifies that all host keys use a set of manually configured keys.
No verification - Does not verify host keys. This option is insecure, it is not recommended.
To configure the host key verification strategy, select.