CVE-2021-43578

EUVD-2022-4078
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
jenkinssquash_tm_publisher
𝑥
≤ 1.0.0
𝑥
= Vulnerable software versions
References
http://www.openwall.com/lists/oss-security/2021/11/12/1
https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525
http://www.openwall.com/lists/oss-security/2021/11/12/1
https://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2525