Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller.
This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller.
As of publication of this advisory, there is no fix.
{
"nvd_published_at": "2025-10-29T14:15:58Z",
"severity": "HIGH",
"cwe_ids": [
"CWE-78"
],
"github_reviewed_at": "2025-10-29T22:02:42Z",
"github_reviewed": true
}