CVE-2023-28677 Information

Apr 03, 2023 cve

Description

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects’ Build Environment Build Steps and Post-build Actions to the equivalent Pipeline step invocations allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

Reference

https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-2966

Share on: