OS command injection in CryptoMove Plugin

2022-05-2417:10:30

Google

osv.dev

0.009 Low

EPSS

Percentile

82.6%

JSON

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

CPENameOperatorVersion
io.jenkins.plugins:cryptomoveeq0.1.19
io.jenkins.plugins:cryptomoveeq0.1.27
io.jenkins.plugins:cryptomoveeq0.1.33
io.jenkins.plugins:cryptomoveeq0.1.30
io.jenkins.plugins:cryptomoveeq0.1.22
io.jenkins.plugins:cryptomoveeq0.1.20
io.jenkins.plugins:cryptomoveeq0.1.29
io.jenkins.plugins:cryptomoveeq0.1.21
io.jenkins.plugins:cryptomoveeq0.1.17
io.jenkins.plugins:cryptomoveeq0.1.25

Name	Operator	Version
io.jenkins.plugins:cryptomove	eq	0.1.19
io.jenkins.plugins:cryptomove	eq	0.1.27
io.jenkins.plugins:cryptomove	eq	0.1.33
io.jenkins.plugins:cryptomove	eq	0.1.30
io.jenkins.plugins:cryptomove	eq	0.1.22
io.jenkins.plugins:cryptomove	eq	0.1.20
io.jenkins.plugins:cryptomove	eq	0.1.29
io.jenkins.plugins:cryptomove	eq	0.1.21
io.jenkins.plugins:cryptomove	eq	0.1.17
io.jenkins.plugins:cryptomove	eq	0.1.25