Описание
OS command execution vulnerability in Perfecto Plugin
Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.
This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.
Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.
Пакеты
Наименование
io.jenkins.plugins:perfecto
maven
Затронутые версииВерсия исправления
<= 1.17
1.18
Связанные уязвимости
CVSS3: 8.8
nvd
больше 5 лет назад
Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller