Arbitrary Command Execution in Jenkins Selection Tasks Plugin by CloudBees
CVE-2020-2276

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Selection Tasks Plugin
Vendor: CVE Published:; 16 September 2020

Summary

The Jenkins Selection Tasks Plugin, prior to version 1.0, has a vulnerability that allows an attacker with Job/Configure permission on the Jenkins controller to execute arbitrary system commands. This occurs because the plugin improperly executes user-specified programs, which can compromise the security of the Jenkins environment by executing malicious commands with the same privileges as the Jenkins process.

Affected Version(s)

Jenkins Selection tasks Plugin <= 1.0

References

https://www.jenkins.io/security/advisory/2020-09-16/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/16/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 16, 2020
Vulnerability Reserved
Dec 5, 2019