Jenkins Pipeline: Multibranch Plugin vulnerable to OS Command Injection

2022-02-1600:01:36

Google

osv.dev

0.001 Low

EPSS

Percentile

46.1%

JSON

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses distinct checkout directories per SCM for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

CPENameOperatorVersion
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.0
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.11-beta-1
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.21
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.9.2
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.17-durability-beta-1
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.20
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.26
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.7
org.jenkins-ci.plugins.workflow:workflow-multibrancheq2.3
org.jenkins-ci.plugins.workflow:workflow-multibrancheq1.12-beta-2

Name	Operator	Version
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.0
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.11-beta-1
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.21
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.9.2
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.17-durability-beta-1
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.20
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.26
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.7
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	2.3
org.jenkins-ci.plugins.workflow:workflow-multibranch	eq	1.12-beta-2