Jenkins Conversion Plugin Vulnerability in Freestyle Projects
CVE-2023-28677

9.8CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Convert To Pipeline Plugin
Vendor: CVE Published:; 2 April 2023

Summary

The Jenkins Convert To Pipeline Plugin, version 1.0 and earlier, introduces a security concern where simple string concatenation mechanisms allow for the injection of untrusted Pipeline script code. This vulnerability enables attackers to craft configurations in Freestyle projects that manipulate the conversion process into unsandboxed Pipeline invocations, potentially compromising the integrity of the project configuration and execution.

Affected Version(s)

Jenkins Convert To Pipeline Plugin 0 <= 1.0

References

https://www.jenkins.io/security/advisory/2023-03-21/#SECU...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2023
Vulnerability Reserved
Mar 20, 2023