[MAVEN:GHSA-298J-9Q4W-6RM4] Agent-to-controller security bypass in Jenkins xUnit Plugin
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn’t exist, and parsing files inside it as test results.
This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.
xUnit Plugin 3.1.0 changes the message type from agent-to-controller to controller-to-agent, preventing execution on the controller.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/xunit
|
< 3.1.0 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/xunit
|
= 3.1.0 |
- ID
- MAVEN:GHSA-298J-9Q4W-6RM4
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-298j-9q4w-6rm4
- Published
-
2022-06-24T00:00:31
(2 years ago) - Modified
-
2023-01-31T05:02:18
(19 months ago) - Rights
- Maven Security Team
- Other Advisories
JENKINS:SECURITY-2549| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |