Lucene search
JenkinsCVELIST:CVE-2023-28677HistoryMar 23, 2023 - 11:26 a.m.
CVE-2023-28677
2023-03-2311:26:06
jenkins
www.cve.org
cve-2023-28677
jenkins
pipeline
plugin
freestyle projects
build environment
build steps
post-build actions
configuration
injection
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.
CNA Affected
[
{
"defaultStatus": "unknown",
"product": "Jenkins Convert To Pipeline Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
]Related
cve
cve
CVE-2023-28677
2023-04-02 21:15:09
nvd
nvd
CVE-2023-28677
2023-04-02 21:15:09
veracode
veracode
Remote Code Execution (RCE)
2023-08-22 11:14:09
osv
osv
Jenkins Convert To Pipeline Plugin vulnerable to command injection
2023-04-02 21:30:17
Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery
2023-04-02 21:30:17
prion
prion
Code injection
2023-04-02 21:15:00
github
github
Jenkins Convert To Pipeline Plugin vulnerable to command injection
2023-04-02 21:30:17
Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery
2023-04-02 21:30:17
