CVE-2023-28677

2023-04-0221:15:09

CWE-77

[email protected]

web.nvd.nist.gov

219

jenkins

convert to pipeline plugin

cve-2023-28677

security vulnerability

injection attack

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.2%

JSON

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

Affected configurations

NVD

Node

jenkinsconvert_to_pipelineRange≤1.0jenkins

CPENameOperatorVersion
jenkins:convert_to_pipelinejenkins convert to pipelinele1.0

CPE	Name	Operator	Version
jenkins:convert_to_pipeline	jenkins convert to pipeline	le	1.0

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Jenkins Convert To Pipeline Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]