PT-2018-9462 · Jenkins · Jenkins Fortify Cloudscan Plugin+1

Publicado

2018-06-26

Atualizado

2022-05-14

CVE-2018-1000607

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Fortify CloudScan Plugin versions 1.5.1 and earlier

Description A vulnerability exists that allows attackers to control the contents of the rulepack zip file, enabling them to overwrite any file on the Jenkins master file system. The extent of the overwrite capability is limited by the permissions of the user the Jenkins master process is running as.

Recommendations For Jenkins Fortify CloudScan Plugin versions 1.5.1 and earlier, consider restricting access to the ArchiveUtil.java file until a patch is available. As a temporary workaround, limit the permissions of the user the Jenkins master process is running as to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2018-1000607

GHSA-8864-PWHG-3MP2

Produtos afetados

Jenkins

Jenkins Fortify Cloudscan Plugin

PT-2018-9462 · Jenkins · Jenkins Fortify Cloudscan Plugin+1

CVE-2018-1000607

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4