CVE-2020-2159

Name of the Vulnerable Software and Affected Versions Jenkins CryptoMove Plugin versions 0.1.33 and earlier

Description The issue allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins. This is possible because the CryptoMove Plugin allows the configuration of an OS command to execute as part of its build step configuration, which will be executed on the Jenkins controller. Users with Job/Configure permission can exploit this to execute arbitrary OS commands on the Jenkins controller.

Recommendations For Jenkins CryptoMove Plugin versions 0.1.33 and earlier, consider restricting access to the Job/Configure permission to minimize the risk of exploitation. As a temporary workaround, consider disabling the build step configuration that allows the execution of OS commands until a patch is available.