Lucene search

GitHub Advisory DatabaseGHSA-P5X5-JG3J-2JCJ

HistoryMay 24, 2022 - 5:10 p.m.

OS command injection in CryptoMove Plugin

2022-05-2417:10:30

CWE-78

GitHub Advisory Database

github.com

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

82.6%

JSON

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

Affected configurations

Vulners

Node

io.jenkins.plugins\Matchcryptomove

CPENameOperatorVersion
io.jenkins.plugins:cryptomovele0.1.33

CPE	Name	Operator	Version
	io.jenkins.plugins:cryptomove	le	0.1.33

References

www.openwall.com/lists/oss-security/2020/03/09/1

github.com/advisories/GHSA-p5x5-jg3j-2jcj

jenkins.io/security/advisory/2020-03-09/#SECURITY-1635

nvd.nist.gov/vuln/detail/CVE-2020-2159

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.009 Low

EPSS

Percentile

82.6%

JSON

Related for GHSA-P5X5-JG3J-2JCJ