Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNXg1LWpnM2otMmpjas4AAjyZ
OS command injection in CryptoMove Plugin
CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.
Permalink: https://github.com/advisories/GHSA-p5x5-jg3j-2jcjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNXg1LWpnM2otMmpjas4AAjyZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-p5x5-jg3j-2jcj, CVE-2020-2159
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2159
- https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1635
- http://www.openwall.com/lists/oss-security/2020/03/09/1
- https://github.com/advisories/GHSA-p5x5-jg3j-2jcj
Affected Packages
maven:io.jenkins.plugins:cryptomove
Affected Version Ranges: <= 0.1.33No known fixed version