Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wNXg1LWpnM2otMmpjas4AAjyZ

OS command injection in CryptoMove Plugin

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

Permalink: https://github.com/advisories/GHSA-p5x5-jg3j-2jcj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNXg1LWpnM2otMmpjas4AAjyZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-p5x5-jg3j-2jcj, CVE-2020-2159
References: Blast Radius: 1.0

Affected Packages

maven:io.jenkins.plugins:cryptomove
Affected Version Ranges: <= 0.1.33
No known fixed version