PT-2021-23883 · Jenkins · Jenkins Squash Tm Publisher Plugin+1
Daniel Beck
·
Published
2021-11-12
·
Updated
2023-11-22
·
CVE-2021-43578
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin versions 1.0.0 and earlier
Description
The issue allows attackers who can control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string. This is due to the lack of validation of input in an agent-to-controller message.
Recommendations
For versions 1.0.0 and earlier, as a temporary workaround, consider disabling the agent-to-controller message functionality until a patch is available. Restrict access to the Jenkins controller file system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Squash Tm Publisher Plugin