CVE-2020-2261

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Perfecto Plugin versions 1.17 and earlier

Description The issue allows attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. This is possible because the Perfecto Plugin executes a command on the Jenkins controller. The plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations, which is then executed on the Jenkins controller in versions 1.17 and earlier.

Recommendations For Jenkins Perfecto Plugin versions 1.17 and earlier, update to version 1.18 or later, which executes the specified commands on the agent the build is running on, mitigating the risk of arbitrary command execution on the Jenkins controller.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-2261

GHSA-JQ84-6FMM-6QV6

Affected Products

Jenkins

Jenkins Perfecto Plugin

CVE-2020-2261

Weakness Enumeration

Related Identifiers

Affected Products

References · 6