Описание
Agent-to-controller security bypass in Jenkins Debian Package Builder Plugin
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.
This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.
Пакеты
Наименование
ru.yandex.jenkins.plugins.debuilder:debian-package-builder
maven
Затронутые версииВерсия исправления
<= 1.6.11
Отсутствует
Связанные уязвимости
CVSS3: 8.8
nvd
около 4 лет назад
Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.