[org.jenkins-ci.plugins:google-compute-engine] Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin

Jenkins Google Compute Engine Plugin 4.1.1 and earlier does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks. Google Compute Engine Plugin 4.2.0 verifies SSH host keys before executing any commands on agents.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-16546
• https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1584
• http://www.openwall.com/lists/oss-security/2019/11/21/1
• https://github.com/advisories/GHSA-345p-pw5q-g98v