OS command execution vulnerability in Jenkins Docker Commons Plugin

2022-01-1300:01:03

Google

osv.dev

8.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

60.8%

JSON

Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

CPENameOperatorVersion
org.jenkins-ci.plugins:docker-commonseq1.0-alpha-13
org.jenkins-ci.plugins:docker-commonseq1.3
org.jenkins-ci.plugins:docker-commonseq1.0-alpha-1
org.jenkins-ci.plugins:docker-commonseq1.0-alpha-10
org.jenkins-ci.plugins:docker-commonseq1.8
org.jenkins-ci.plugins:docker-commonseq1.0-alpha-12
org.jenkins-ci.plugins:docker-commonseq1.13
org.jenkins-ci.plugins:docker-commonseq1.10
org.jenkins-ci.plugins:docker-commonseq1.1
org.jenkins-ci.plugins:docker-commonseq1.0-beta-1

Name	Operator	Version
org.jenkins-ci.plugins:docker-commons	eq	1.0-alpha-13
org.jenkins-ci.plugins:docker-commons	eq	1.3
org.jenkins-ci.plugins:docker-commons	eq	1.0-alpha-1
org.jenkins-ci.plugins:docker-commons	eq	1.0-alpha-10
org.jenkins-ci.plugins:docker-commons	eq	1.8
org.jenkins-ci.plugins:docker-commons	eq	1.0-alpha-12
org.jenkins-ci.plugins:docker-commons	eq	1.13
org.jenkins-ci.plugins:docker-commons	eq	1.10
org.jenkins-ci.plugins:docker-commons	eq	1.1
org.jenkins-ci.plugins:docker-commons	eq	1.0-beta-1