CVE-2020-2159 – io.jenkins.plugins:cryptomove

Package

Manager: maven
Name: io.jenkins.plugins:cryptomove
Vulnerable Version: >=0 <=0.1.33

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02831 pctl0.85653

Details

OS command injection in CryptoMove Plugin CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

Metadata

Created: 2022-05-24T17:10:30Z
Modified: 2023-01-05T21:09:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p5x5-jg3j-2jcj/GHSA-p5x5-jg3j-2jcj.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-p5x5-jg3j-2jcj
Finding: F404
Auto approve: 1