OS command injection vulnerability in Jenkins Play Framework Plugin

2022-05-2417:19:05

Google

osv.dev

0.051 Low

EPSS

Percentile

93.0%

JSON

A form validation endpoint in Play Framework Plugin executes the play command to validate a given input file.

Play Framework Plugin 1.0.2 and earlier lets users specify the path to the play command on the Jenkins controller. This results in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins controller (e.g. through archiving artifacts).

CPENameOperatorVersion
org.jenkins-ci.plugins:play-autotest-plugineq0.0.12
org.jenkins-ci.plugins:play-autotest-plugineq0.0.5
org.jenkins-ci.plugins:play-autotest-plugineq0.0.11
org.jenkins-ci.plugins:play-autotest-plugineq0.0.10
org.jenkins-ci.plugins:play-autotest-plugineq1.0.0
org.jenkins-ci.plugins:play-autotest-plugineq1.0.2
org.jenkins-ci.plugins:play-autotest-plugineq1.0.1
org.jenkins-ci.plugins:play-autotest-plugineq0.0.9
org.jenkins-ci.plugins:play-autotest-plugineq0.0.6
org.jenkins-ci.plugins:play-autotest-plugineq0.0.8

Name	Operator	Version
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.12
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.5
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.11
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.10
org.jenkins-ci.plugins:play-autotest-plugin	eq	1.0.0
org.jenkins-ci.plugins:play-autotest-plugin	eq	1.0.2
org.jenkins-ci.plugins:play-autotest-plugin	eq	1.0.1
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.9
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.6
org.jenkins-ci.plugins:play-autotest-plugin	eq	0.0.8