Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcTg0LTZmbW0tNnF2Ns4AAl85
OS command execution vulnerability in Perfecto Plugin
Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.
This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.
Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.
Permalink: https://github.com/advisories/GHSA-jq84-6fmm-6qv6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcTg0LTZmbW0tNnF2Ns4AAl85
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jq84-6fmm-6qv6, CVE-2020-2261
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2261
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1980
- http://www.openwall.com/lists/oss-security/2020/09/16/3
- https://github.com/advisories/GHSA-jq84-6fmm-6qv6
Affected Packages
maven:io.jenkins.plugins:perfecto
Affected Version Ranges: <= 1.17Fixed in: 1.18