GHSA-rh72-238f-g26q

Suggest an improvement
Source
https://github.com/advisories/GHSA-rh72-238f-g26q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-rh72-238f-g26q/GHSA-rh72-238f-g26q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rh72-238f-g26q
Aliases
  • CVE-2025-64140
Published
2025-10-29T15:31:56Z
Modified
2025-11-05T21:08:41.999964Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins Azure CLI Plugin does not restrict the commands it executes
Details

Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller.

This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller.

As of publication of this advisory, there is no fix.

Database specific
{
    "nvd_published_at": "2025-10-29T14:15:58Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed_at": "2025-10-29T22:02:42Z",
    "github_reviewed": true
}
References

Affected packages

Maven / org.jenkins-ci.plugins:azure-cli

Package

Name
org.jenkins-ci.plugins:azure-cli
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/azure-cli

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.9

Affected versions

0.*
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-rh72-238f-g26q/GHSA-rh72-238f-g26q.json"