CVE-2017-1000502

HIGH

Jenkins EC2 < 1.37 - Authenticated OS Command Injection via Agent Configuration

Title source: llm

Description

Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://jenkins.io/security/advisory/2017-12-06/

Scores

CVSS v3 8.8

EPSS 0.0067

EPSS Percentile 71.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

jenkins/ec2 < 1.37

org.jenkins-ci.plugins/ec2 0 - 1.38Maven

Published Jan 24, 2018

Tracked Since Feb 18, 2026