CVE-2017-1000502
Description
A Jenkins EC2 plugin vulnerability allows users with agent creation permissions to execute arbitrary commands on the master node, fixed in version 1.38.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Jenkins EC2 plugin vulnerability allows users with agent creation permissions to execute arbitrary commands on the master node, fixed in version 1.38.
Vulnerability
The EC2 plugin for Jenkins, versions 1.37 and earlier, allows users with permission to create or configure agents to specify arbitrary shell commands that execute on the Jenkins master node whenever the agent is launched [1]. This is due to insufficient permission checks on the agent configuration, enabling command injection. All versions up to and including 1.37 are affected [2].
Exploitation
An attacker must have the 'Agent > Create' or 'Agent > Configure' permissions in Jenkins. They can then configure an EC2 agent to run a script on the master node by providing shell commands in the agent setup. The commands execute with the privileges of the Jenkins master process when the agent is launched [1].
Impact
Successful exploitation allows arbitrary command execution on the Jenkins master node, potentially leading to full compromise of the Jenkins server and any systems it interacts with. This is rated as a high-severity vulnerability [2].
Mitigation
The vulnerability is fixed in EC2 plugin version 1.38, released on 2017-12-06 [2]. Users should update to this version or later. Prior versions require the 'Run Scripts' permission to configure agents, which is typically only granted to administrators, as a workaround [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ec2Maven | < 1.38 | 1.38 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-wp79-cpv2-9g7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000502ghsaADVISORY
- jenkins.io/security/advisory/2017-12-06ghsaWEB
- jenkins.io/security/advisory/2017-12-06/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.