CVE-2017-2652 – org.jenkins-ci.plugins:distfork

Package

Manager: maven
Name: org.jenkins-ci.plugins:distfork
Vulnerable Version: >=0 <1.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00363 pctl0.57589

Details

Missing permission checks in Jenkins Distributed Fork Plugin It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.

Metadata

Created: 2022-05-13T01:36:51Z
Modified: 2024-01-30T22:19:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2cm5-f78c-h2c8/GHSA-2cm5-f78c-h2c8.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-2cm5-f78c-h2c8
Finding: F039
Auto approve: 1