{"id":"GHSA-jq84-6fmm-6qv6","summary":"OS command execution vulnerability in Perfecto Plugin","details":"Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.\n\nThis command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.\n\nPerfecto Plugin 1.18 executes the specified commands on the agent the build is running on.","aliases":["CVE-2020-2261"],"modified":"2023-11-01T04:52:28.702469Z","published":"2022-05-24T17:28:26Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-78"],"github_reviewed":true,"nvd_published_at":"2020-09-16T14:15:00Z","github_reviewed_at":"2022-12-29T01:42:56Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2261"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/perfecto-plugin"},{"type":"WEB","url":"https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1980"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/09/16/3"}],"affected":[{"package":{"name":"io.jenkins.plugins:perfecto","ecosystem":"Maven","purl":"pkg:maven/io.jenkins.plugins/perfecto"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.18"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jq84-6fmm-6qv6/GHSA-jq84-6fmm-6qv6.json","last_known_affected_version_range":"\u003c= 1.17"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}