Jenkins Security Advisory 2025-04-10

SECURITY-3565 / CVE-2025-32754 (jenkins/ssh-agent), CVE-2025-32755 (jenkins/ssh-slave)
Severity (CVSS): Medium
Description:

The jenkins/ssh-agent and deprecated jenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin.

In jenkins/ssh-agent 6.11.1 and earlier and all versions of jenkins/ssh-slave, SSH host keys are generated on image creation for images based on Debian. This affects the following image variants:

• jenkins/ssh-agent:

  • All not explicitly specifying an OS, including all -jdk* and -jdk*-preview suffixes (all before 2025-04-10)

  • All containing debian, stretch, bullseye, or bookworm (all before 2025-04-10)

• jenkins/ssh-slave: The tags latest, jdk11, latest-jdk11, revert-22-jdk11-JENKINS-52279

The following image variants are unaffected:

• jenkins/ssh-agent: All containing alpine, nanoserver, or windows

• jenkins/ssh-slave: The tag alpine

As a result, all containers based on images of the same version use the same SSH host keys. This allows attackers able to insert themselves into the network path between the SSH client (typically the Jenkins controller) and SSH build agent to impersonate the latter.

The jenkins/ssh-agent 6.11.2 Docker images based on Debian delete the automatically generated SSH host keys created during image creation. New host keys are generated on the first container startup.

jenkins/ssh-slave is deprecated and will not be updated. Use jenkins/ssh-agent instead.

• SECURITY-3565: Medium

• jenkins/ssh-agent Docker images should be updated to version 6.11.2

• Abhishek Reddypalle for SECURITY-3565