CVE-2020-2159
Description
Jenkins CryptoMove Plugin ≤0.1.33 allows users with Job/Configure permission to execute arbitrary OS commands on the Jenkins master.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CryptoMove Plugin ≤0.1.33 allows users with Job/Configure permission to execute arbitrary OS commands on the Jenkins master.
Vulnerability
Overview CVE-2020-2159 is a command injection vulnerability in the Jenkins CryptoMove Plugin versions 0.1.33 and earlier [1]. The plugin fails to properly sanitize user-supplied input when configuring build steps, allowing attackers with Job/Configure permission to inject arbitrary operating system commands [2].
Exploitation
An attacker must have Job/Configure access to a Jenkins job. By crafting a malicious build configuration, they can execute arbitrary OS commands on the Jenkins master node. No additional authentication is required beyond the Jenkins credentials that grant the necessary permission. The attack can be performed remotely if the Jenkins instance is network-accessible [1].
Impact
Successful exploitation gives the attacker the ability to execute arbitrary commands as the OS user running Jenkins. This can lead to full compromise of the Jenkins master, including access to credentials, secrets, and the ability to pivot to other systems [2].
Mitigation
As of the March 2020 security advisory, no fixed version of the CryptoMove Plugin has been released [1][2]. The plugin is listed as an unresolved security issue. Administrators should restrict Job/Configure permissions to trusted users only, or remove the plugin entirely if it is not required.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:cryptomoveMaven | <= 0.1.33 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p5x5-jg3j-2jcjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2159ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/09/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-03-09/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-03-09Jenkins Security Advisories · Mar 9, 2020