CVE-2020-2200
Description
Jenkins Play Framework Plugin 1.0.2 and earlier allows OS command injection via user-specified path to the play command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Play Framework Plugin 1.0.2 and earlier allows OS command injection via user-specified path to the `play` command.
Root
Cause
The Jenkins Play Framework Plugin up to version 1.0.2 permits users to specify the path to the play command on the Jenkins master during form validation. This input is not sanitized, leading to an OS command injection vulnerability [1][2].
Exploitation
An attacker must be able to store a file (e.g., a malicious executable) on the Jenkins master. The attacker then supplies this file's path as the play command, causing the plugin to execute it during form validation. No special authentication is required beyond the ability to interact with the validation endpoint [1][2].
Impact
Successful exploitation allows arbitrary OS command execution on the Jenkins master with the privileges of the Jenkins process, potentially compromising the entire Jenkins environment and its managed nodes [1][2].
Mitigation
As of the advisory on 2020-06-03, the Play Framework Plugin had no fix released, and the vulnerability was unresolved [1][3]. Users should avoid using the plugin or ensure that only trusted users can store files on the master.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:play-autotest-pluginMaven | <= 1.0.2 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h5mv-fv98-gqmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2200ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/06/03/3ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-06-03/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-06-03Jenkins Security Advisories · Jun 3, 2020