Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yY201LWY3OGMtaDJjOM4AARcD
Missing permission checks in Jenkins Distributed Fork Plugin
It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
Permalink: https://github.com/advisories/GHSA-2cm5-f78c-h2c8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yY201LWY3OGMtaDJjOM4AARcD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 3 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2cm5-f78c-h2c8, CVE-2017-2652
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-2652
- https://jenkins.io/security/advisory/2017-03-20/
- http://www.securityfocus.com/bid/96980
- https://github.com/advisories/GHSA-2cm5-f78c-h2c8
Affected Packages
maven:org.jenkins-ci.plugins:distfork
Affected Version Ranges: <= 1.5.0Fixed in: 1.6.0