Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oOHc2LWM1M2ctNTN2ds4AAjSU
Missing permission checks in Jenkins Sounds Plugin allow OS command execution
Jenkins Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation, allowing attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.
Permalink: https://github.com/advisories/GHSA-h8w6-c53g-53vvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oOHc2LWM1M2ctNTN2ds4AAjSU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-h8w6-c53g-53vv, CVE-2020-2097
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2097
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-814
- https://github.com/jenkinsci/sounds-plugin/commit/0c376d46fd91b12696e5f7389110ddece0724457
- https://github.com/advisories/GHSA-h8w6-c53g-53vv
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:sounds
Affected Version Ranges: < 0.6Fixed in: 0.6