PT-2018-9462 · Jenkins · Jenkins Fortify Cloudscan Plugin+1

Published

2018-06-26

Updated

2022-05-14

CVE-2018-1000607

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Fortify CloudScan Plugin versions 1.5.1 and earlier

Description A vulnerability exists that allows attackers to control the contents of the rulepack zip file, enabling them to overwrite any file on the Jenkins master file system. The extent of the overwrite capability is limited by the permissions of the user the Jenkins master process is running as.

Recommendations For Jenkins Fortify CloudScan Plugin versions 1.5.1 and earlier, consider restricting access to the ArchiveUtil.java file until a patch is available. As a temporary workaround, limit the permissions of the user the Jenkins master process is running as to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2018-1000607

GHSA-8864-PWHG-3MP2

Affected Products

Jenkins

Jenkins Fortify Cloudscan Plugin

PT-2018-9462 · Jenkins · Jenkins Fortify Cloudscan Plugin+1

CVE-2018-1000607

Weakness Enumeration

Related Identifiers

Affected Products

References · 4