1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-J472-MCQ2-95P6

[MAVEN:GHSA-J472-MCQ2-95P6] OS Command Injection in Jenkins

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.

Package Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core >= 2.74, <= 2.83
pkg:maven/org.jenkins-ci.main/jenkins-core <= 2.73.1
Package Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.84
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.73.2
ID
MAVEN:GHSA-J472-MCQ2-95P6
Severity
high
URL
https://github.com/advisories/GHSA-j472-mcq2-95p6
Published
2022-05-14T01:04:30
(2 years ago)
Modified
2023-01-27T05:02:11
(20 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core >= 2.74 <= 2.83
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.84
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core <= 2.73.1
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.73.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date