[JENKINS:SECURITY-2546] Agent-to-controller security bypass in `debian-package-builder`
Severity
High
Affected Packages
2
CVEs
1
debian-package-builder 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.
This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.
As of publication of this advisory, there is no fix.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/debian-package-builder
|
<= 1.6.11 |
 pkg:github/jenkinsci/debian-package-builder-plugin
|
<= 1.6.11 |
- ID
- JENKINS:SECURITY-2546
- Severity
- high
- Published
-
2022-01-12T00:00:00
(2 years ago) - Modified
-
2022-01-12T00:00:00
(2 years ago) - Rights
- Jenkins Security Team
- Other Advisories
MAVEN:GHSA-8XJP-RP29-V5J8| Source | # ID | Name | URL |
|---|---|---|---|
| Plugin repository | debian-package-builder repository |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.plugins/debian-package-builder | org.jenkins-ci.plugins |
debian-package-builder
|
<= 1.6.11 | |||
| Affected | pkg:github/jenkinsci/debian-package-builder-plugin | jenkinsci |
debian-package-builder-plugin
|
<= 1.6.11 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |