Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-jq84-6fmm-6qv6

GitHub Security Advisory

OS command execution vulnerability in Perfecto Plugin

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

Affected Packages

Maven io.jenkins.plugins:perfecto
Affected versions: 0 (fixed in 1.18)

Related CVEs

CVE-2020-2261

Key Information

GHSA ID
GHSA-jq84-6fmm-6qv6
Published
May 24, 2022 5:28 PM
Last Modified
December 29, 2022 1:42 AM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
io.jenkins.plugins:perfecto
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.