An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.

It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.

An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. admin/admin/fileUploadAction_fileUpload.action allows arbitrary file upload, as demonstrated by a .jsp file with the image/jpeg content type.

An issue was discovered in cckevincyh SSH CompanyWebsite through 2018-05-03. SQL injection exists via the admin/noticeManageAction_queryNotice.action noticeInfo parameter.

A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.

The SSH server implementation of AsyncSSH before 1.12.1 does not properly check whether authentication is completed before processing other requests. A customized SSH client can simply skip the authentication step.

sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.

The SSH Plugin stores credentials which allow jobs to access remote servers via the SSH protocol. User passwords and passphrases for encrypted SSH keys are stored in plaintext in a configuration file.

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

The server in Dropbear before 2017.75 might allow post-authentication root remote code execution because of a double free in cleanup of TCP listeners when the -a option is enabled.