CVE-2020-2261 — OS command execution vulnerability in Perfecto Plugin

Description

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations. This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller. Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

How to fix CVE-2020-2261

To remediate CVE-2020-2261, upgrade the affected package to a fixed version below.

—upgrade to 1.18 or later

Is CVE-2020-2261 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2261
PATCHgithub.com/jenkinsci/perfecto-plugin
WEBwww.jenkins.io/security/advisory/2020-09-16/#SECURITY-1980
WEBwww.openwall.com/lists/oss-security/2020/09/16/3