-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jvnet.hudson.plugins:selection-tasks-plugin | maven | <= 1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from the plugin's handling of user-supplied executable paths in parameter configurations. Jenkins parameter definitions typically use DescriptorImpl classes to handle backend logic. The getSelectionList() method would be responsible for executing the specified program to generate parameter options. Since the advisory explicitly states user-controlled program execution on the controller node, this method would directly pass the unsanitized user input to Runtime.exec() or similar APIs, enabling command injection. The CWE-78 classification and Jenkins plugin architecture patterns support this conclusion despite the lack of explicit code samples.
JavaJava