Lucene search

GoogleOSV:GHSA-7C44-M589-36W7

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins Convert To Pipeline Plugin vulnerable to command injection

2023-04-0221:30:17

Google

osv.dev

jenkins

convert to pipeline plugin

command injection

vulnerability

project conversion

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.0%

JSON

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

CPENameOperatorVersion
org.jenkins-ci.plugins:convert-to-pipelineeq1.0

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:convert-to-pipeline	eq	1.0

References

github.com/jenkinsci/convert-to-pipeline-plugin

nvd.nist.gov/vuln/detail/CVE-2023-28677

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2966

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.0%

JSON

Related for OSV:GHSA-7C44-M589-36W7