8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2261

GHSA ID

GHSA-jq84-6fmm-6qv6

EPSS Score

0.47877%

CWE

CWE-78

Published

5/24/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2261

CVE-2020-2261: OS command execution vulnerability in Perfecto Plugin

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2261

GHSA ID

GHSA-jq84-6fmm-6qv6

EPSS Score

0.47877%

CWE

CWE-78

Published

5/24/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:perfecto	maven	<= 1.17	1.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized use of job configuration parameters (Perfecto Connect Path/FileName) in OS command execution. In Jenkins plugins, the 'perform' method in builders/recorders is where build actions execute. The high confidence in PerfectoRecorder.perform aligns with the CWE-78 pattern of direct command execution with user input. The medium confidence in PerfectoBuilder.perform accounts for alternative implementations, though the core issue remains parameter injection in command execution contexts. The patch's mitigation (moving execution to agents) implies the vulnerable functions were controller-side execution entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*r***to Plu*in *llows sp**i*yin* P*r***to *onn**t P*t* *n* P*r***to *onn**t *il* N*m* in jo* *on*i*ur*tions. T*is *omm*n* is *x**ut** on t** J*nkins *ontroll*r in P*r***to Plu*in *.** *n* **rli*r, *llowin* *tt**k*rs wit* Jo*/*on*i*ur* p*rmission to

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** us* o* jo* *on*i*ur*tion p*r*m*t*rs (P*r***to *onn**t P*t*/*il*N*m*) in OS *omm*n* *x**ution. In J*nkins plu*ins, t** `'p*r*orm'` m*t*o* in `*uil**rs/r**or**rs` is w**r* *uil* **tions *x**ut*. T** *i** *on*i**

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-2261: OS command execution vulnerability in Perfecto Plugin

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI