Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

Jenkins Convert To Pipeline Plugin vulnerable to command injection

Уязвимость компонента Freestyle Project Configuration Handler плагина Convert To Pipeline Plugin, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации