CVE-2020-2159 — OS command injection in CryptoMove Plugin

Description

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

How to fix CVE-2020-2159

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2020-2159 being exploited?

Low — EPSS is 4.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.1.33

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2159
PATCHgithub.com/jenkinsci/cryptomove-plugin
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1635
WEBwww.openwall.com/lists/oss-security/2020/03/09/1