[MAVEN:GHSA-JQ84-6FMM-6QV6] OS command execution vulnerability in Perfecto Plugin

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

Package	Affected Version
pkg:maven/io.jenkins.plugins/perfecto	<= 1.17

Package	Fixed Version
pkg:maven/io.jenkins.plugins/perfecto	= 1.18

ID

MAVEN:GHSA-JQ84-6FMM-6QV6

Severity

high

URL

https://github.com/advisories/GHSA-jq84-6fmm-6qv6

Published

2022-05-24T17:28:26
(2 years ago)

Modified

2023-01-28T05:06:13
(19 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1980

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2261
			https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1980
			http://www.openwall.com/lists/oss-security/2020/09/16/3
			https://github.com/advisories/GHSA-jq84-6fmm-6qv6

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/io.jenkins.plugins/perfecto	io.jenkins.plugins	perfecto	<= 1.17
Fixed	pkg:maven/io.jenkins.plugins/perfecto	io.jenkins.plugins	perfecto	= 1.18

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date