Description
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
Remediation
References
Related Vulnerabilities
TYPO3 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-4321)
Joomla! Core Security Bypass (2.5.0 - 3.8.7)
WordPress Plugin Calendar Multiple Cross-Site Scripting Vulnerabilities (1.2.1)
Ruby Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4481)
Django Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2022-23833)