The library sshd-core (1.0.0) included in ssh-agent-plugin contains a vulnerability.

Minimum version to use: 1.3.0, but it's better to use the latest one.

From a security scan:
cvss_v2: "7.8/AV:N/AC:L/Au:N/C:C/I:N/A:N"
Apache MINA contains a flaw that allows traversing outside of a restricted path. The issue is due to SFTP servers failing to properly sanitizing user input, specifically absolute paths. With a specially crafted request, a remote attacker can gain access to arbitrary files

Although the plugin may not use the dependency the way it's exploitable, it's better to avoid the buggy dependency in order to:

• avoid security reports warning about that
• avoid future risky uses of the library that may exploit the vulnerability

If you like, you can use the bom approach to avoid dealing with the right version, it will take the one used by Jenkins core: https://jenkins.io/doc/developer/plugin-development/dependency-management/

Thank you.

by Ramón León