PT-2020-15414 · Jenkins · Jenkins Play Framework Plugin+1
Daniel Beck
·
Published
2020-06-03
·
Updated
2023-10-25
·
CVE-2020-2200
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Play Framework Plugin versions 1.0.2 and earlier
Description
The issue concerns an OS command injection vulnerability. It occurs because a form validation endpoint in the Play Framework Plugin executes the
play command to validate a given input file, and users can specify the path to this command on the Jenkins master. This vulnerability is exploitable by users who can store a file on the Jenkins master, such as through archiving artifacts.Recommendations
For Jenkins Play Framework Plugin versions 1.0.2 and earlier, consider restricting access to the form validation endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the endpoint that executes the
play command for file validation.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Play Framework Plugin