PT-2018-5266 · Jenkins · Jenkins

Jesse Glick

Published

2018-01-24

Updated

2022-05-14

CVE-2017-1000502

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 1.37 and earlier

Description The issue allows users with certain permissions to configure an EC2 agent in a way that it can run arbitrary shell commands on the master node. This can happen whenever the agent is supposed to be launched. The configuration of these agents now requires a specific permission, typically only granted to administrators.

Recommendations For Jenkins versions 1.37 and earlier, ensure that the configuration of EC2 agents is restricted to users with the 'Run Scripts' permission, typically only granted to administrators, to prevent unauthorized access and potential exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2017-1000502

GHSA-WP79-CPV2-9G7M

Affected Products

Jenkins

PT-2018-5266 · Jenkins · Jenkins

CVE-2017-1000502

Weakness Enumeration

Related Identifiers

Affected Products

References · 4