CVE-2020-2097 – org.jenkins-ci.plugins:sounds

Package

Manager: maven
Name: org.jenkins-ci.plugins:sounds
Vulnerable Version: >=0 <0.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00103 pctl0.28775

Details

Missing permission checks in Jenkins Sounds Plugin allow OS command execution Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Metadata

Created: 2022-05-24T17:06:23Z
Modified: 2022-12-21T16:47:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h8w6-c53g-53vv/GHSA-h8w6-c53g-53vv.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-h8w6-c53g-53vv
Finding: F039
Auto approve: 1