PT-2018-7160 · Jenkins · Jenkins Distributed Fork Plugin+1

James Nord

Published

2018-07-27

Updated

2022-05-13

CVE-2017-2652

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Jenkins Distributed Fork plugin version 1.5.0 and earlier

Description: A security issue was discovered in the Distributed Fork plugin for Jenkins, where permission checks were not properly performed before and including version 1.5.0. This allowed individuals with Overall/Read permission to execute arbitrary shell commands on all connected nodes using the dist-fork CLI command.

Recommendations: For Jenkins Distributed Fork plugin version 1.5.0 and earlier, consider restricting access to the dist-fork CLI command until a patch is available. As a temporary workaround, review and limit the Overall/Read permission to minimize the risk of exploitation.

Fix

Missing Authorization

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-287

Related Identifiers

CVE-2017-2652

GHSA-2CM5-F78C-H2C8

Affected Products

Jenkins

Jenkins Distributed Fork Plugin

PT-2018-7160 · Jenkins · Jenkins Distributed Fork Plugin+1

CVE-2017-2652

Weakness Enumeration

Related Identifiers

Affected Products

References · 5