CVE-2021-43578

Vulnerability

The Jenkins Squash TM Publisher (Squash4Jenkins) Plugin, versions 1.0.0 and earlier, implements an agent-to-controller message that does not perform any validation of its input [1], [2], [3]. This allows agents to send arbitrary data to the Jenkins controller without sanitization. The affected code path is reachable whenever an attacker can control an agent process, for example, by compromising a Jenkins agent or by gaining access to an agent node.

Exploitation

An attacker who is able to control an agent process (e.g., by having permissions to control agent nodes or by exploiting another vulnerability) can send a crafted agent-to-controller message. This message contains an arbitrary file path and an attacker-controlled JSON string. The plugin processes the message without verifying the file path, leading to replacement of the specified file on the Jenkins controller file system with the attacker-supplied JSON content [2], [4]. No additional authentication or user interaction is required beyond control of an agent.

Impact

Successful exploitation allows the attacker to overwrite arbitrary files on the Jenkins controller with an attacker-controlled JSON string. This can lead to corruption or modification of critical configuration files, secrets, or build artifacts. The attacker-controlled content is limited to JSON format, which may restrict direct RCE in some scenarios but could still enable compromise of sensitive data or disruption of Jenkins operations [2], [3], [4].

Mitigation

As of the advisory publication date (2021-11-12), no fix is available for this vulnerability [3], [4]. Users of the Squash TM Publisher Plugin should disable the plugin or restrict agent access to trusted nodes until a patched version is released. The plugin is listed as unresolved in the Jenkins security advisory [3]. There is no indication that this CVE is listed in KEV.