This advisory announces vulnerabilities in the following Jenkins deliverables:
The jenkins/ssh-agent and deprecated jenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin.
In jenkins/ssh-agent 6.11.1 and earlier and all versions of jenkins/ssh-slave, SSH host keys are generated on image creation for images based on Debian. This affects the following image variants:
jenkins/ssh-agent:
All not explicitly specifying an OS, including all -jdk* and -jdk*-preview suffixes (all before 2025-04-10)
All containing debian, stretch, bullseye, or bookworm (all before 2025-04-10)
jenkins/ssh-slave: The tags latest, jdk11, latest-jdk11, revert-22-jdk11-JENKINS-52279
The following image variants are unaffected:
jenkins/ssh-agent: All containing alpine, nanoserver, or windows
jenkins/ssh-slave: The tag alpine
As a result, all containers based on images of the same version use the same SSH host keys. This allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.
The jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup.
jenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: