Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7c44-m589-36w7: Jenkins Convert To Pipeline Plugin vulnerable to command injection

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-28677

Jenkins Convert To Pipeline Plugin vulnerable to command injection

High severity GitHub Reviewed Published Apr 2, 2023 to the GitHub Advisory Database • Updated Apr 4, 2023

Package

maven org.jenkins-ci.plugins:convert-to-pipeline (Maven)

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-28677
  • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2966

Published to the GitHub Advisory Database

Apr 2, 2023

Related news

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28676: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE-2023-28677: Jenkins Security Advisory 2023-03-21

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28678: Jenkins Security Advisory 2023-03-21

Jenkins Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

CVE-2023-28683: Jenkins Security Advisory 2023-03-21

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28668: Jenkins Security Advisory 2023-03-21

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled.

CVE-2023-28670: Jenkins Security Advisory 2023-03-21

Jenkins Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

CVE-2023-28685: Jenkins Security Advisory 2023-03-21

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.