Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qcTg0LTZmbW0tNnF2Ns4AAl85

OS command execution vulnerability in Perfecto Plugin

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

Permalink: https://github.com/advisories/GHSA-jq84-6fmm-6qv6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcTg0LTZmbW0tNnF2Ns4AAl85
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-jq84-6fmm-6qv6, CVE-2020-2261
References: Blast Radius: 1.0

Affected Packages

maven:io.jenkins.plugins:perfecto
Affected Version Ranges: <= 1.17
Fixed in: 1.18