Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2021/11/12/1 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525 | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2021/11/12/1 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525 | Vendor Advisory |
Configurations
History
21 Nov 2024, 06:29
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2021/11/12/1 - Mailing List, Third Party Advisory | |
References | () https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525 - Vendor Advisory |
22 Nov 2023, 21:32
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo |
25 Oct 2023, 18:16
Type | Values Removed | Values Added |
---|---|---|
CWE |
Information
Published : 2021-11-12 11:15
Updated : 2024-11-21 06:29
NVD link : CVE-2021-43578
Mitre link : CVE-2021-43578
CVE.ORG link : CVE-2021-43578
JSON object : View
Products Affected
jenkins
- squash_tm_publisher
CWE