CVE-2020-2261

Vulnerability

Overview

CVE-2020-2261 is a command injection vulnerability in the Jenkins Perfecto Plugin versions 1.17 and earlier. The plugin performs an unsafe execution of a command on the Jenkins controller, which does not sufficiently sanitize user-controllable inputs [1][3]. This flaw resides in how the plugin launches the Perfecto Connect tunnel binary; any parameter that influences the command line can be abused [3].

Exploitation

To exploit the vulnerability, an attacker must have the Job/Configure permission in Jenkins—a relatively common privilege for users who manage job configurations [1]. No other authentication bypass is required. By crafting malicious values in job configuration fields that are passed to the underlying operating system command, the attacker can inject arbitrary system commands [3].

Impact

A successful attack results in arbitrary command execution on the Jenkins controller (master) with the privileges of the Jenkins process, typically running as a dedicated system user. This can lead to full compromise of the Jenkins server, including exfiltration of secrets, modification of builds, lateral movement, and further attacks against connected agents [2].

Mitigation

The vulnerability is fixed in Perfecto Plugin version 1.18 [1][2]. All users running version 1.17 or earlier should upgrade immediately. As of May 2024, the plugin is deprecated and no longer receives maintenance from Perfecto [4]; users are advised to migrate to the recommended alternative pipeline approach.