CVE-2020-2261 – io.jenkins.plugins:perfecto

Package

Manager: maven
Name: io.jenkins.plugins:perfecto
Vulnerable Version: >=0 <1.18

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00246 pctl0.47776

Details

OS command execution vulnerability in Perfecto Plugin Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations. This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

Metadata

Created: 2022-05-24T17:28:26Z
Modified: 2022-12-29T01:42:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jq84-6fmm-6qv6/GHSA-jq84-6fmm-6qv6.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-jq84-6fmm-6qv6
Finding: F404
Auto approve: 1