CVE-2023-28677

Name of the Vulnerable Software and Affected Versions Jenkins Convert To Pipeline Plugin versions 1.0 and earlier

Description The issue is related to the incorrect handling of code generation in the Convert To Pipeline Plugin, specifically in the Freestyle Project Configuration Handler component. This allows attackers who can configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the resulting Pipeline. The exploitation of this issue may impact the confidentiality, integrity, and availability of protected information.

Recommendations For Jenkins Convert To Pipeline Plugin versions 1.0 and earlier, consider disabling the conversion of Freestyle projects to Pipeline until a patch is available, to minimize the risk of exploitation. Restrict access to the Freestyle project configuration to prevent attackers from preparing crafted configurations. Avoid using the Convert To Pipeline Plugin to convert Freestyle projects that may contain malicious configurations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.