CVE-2020-2261

HIGH

Jenkins Perfecto Plugin <1.17 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-2261. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-2261, a vulnerability in the Perfecto Jenkins Plugin. The exploit demonstrates how an attacker can manipulate environment variables and execute arbitrary commands through the plugin's build wrapper functionality.

Description

Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller

Exploits (1)

nomisec WORKING POC
by shoucheng3 · poc
https://github.com/shoucheng3/jenkinsci__perfecto-plugin_CVE-2020-2261_1-17

This repository contains a proof-of-concept exploit for CVE-2020-2261, a vulnerability in the Perfecto Jenkins Plugin. The exploit demonstrates how an attacker can manipulate environment variables and execute arbitrary commands through the plugin's build wrapper functionality.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Perfecto Jenkins Plugin
Auth required
Prerequisites: Access to Jenkins with sufficient permissions to configure build environments · Perfecto Jenkins Plugin installed and configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/09/16/3

Scores

CVSS v3 8.8
EPSS 0.0136
EPSS Percentile 67.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
io.jenkins.plugins/perfecto 0 - 1.18Maven
jenkins/perfecto < 1.17
Published Sep 16, 2020
Tracked Since Feb 18, 2026