CVE-2021-43578 — Agent-to-controller security bypass in Jenkins Squash TM Publisher (Squash4Jenki

Description

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

How to fix CVE-2021-43578

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2021-43578 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43578
PATCHgithub.com/jenkinsci/squashtm-publisher-plugin
WEBwww.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525
WEBwww.openwall.com/lists/oss-security/2021/11/12/1