Description
Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to create or configure agents in Jenkins could configure a launch method called 'Launch agent via execution of command on master'. This allowed them to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of this launch method now requires the Run Scripts permission typically only granted to administrators.
Remediation
References
https://jenkins.io/security/advisory/2017-10-11/
Related Vulnerabilities
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-record-serialization-services
CVE-2017-5929 Vulnerability in maven package ch.qos.logback:logback-classic
CVE-2020-15092 Vulnerability in npm package @knight-lab/timelinejs
CVE-2023-29199 Vulnerability in npm package vm2
CVE-2019-10157 Vulnerability in npm package keycloak-connect