GHSA-jq84-6fmm-6qv6

Source

https://github.com/advisories/GHSA-jq84-6fmm-6qv6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jq84-6fmm-6qv6/GHSA-jq84-6fmm-6qv6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jq84-6fmm-6qv6

Aliases

CVE-2020-2261

Published

2022-05-24T17:28:26Z

Modified

2023-11-08T04:03:00.771563Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS command execution vulnerability in Perfecto Plugin

Details

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

Database specific

{
    "nvd_published_at": "2020-09-16T14:15:00Z",
    "github_reviewed_at": "2022-12-29T01:42:56Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ]
}

References

Affected packages

Maven / io.jenkins.plugins:perfecto

Package

Name: io.jenkins.plugins:perfecto; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/perfecto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.18

Affected versions

1.*

1.12

1.13

1.14

1.15

1.16

1.17

Database specific

{
    "last_known_affected_version_range": "<= 1.17"
}