CVE-2017-2652: Improper Authentication

May 13, 2022 (updated January 30, 2024)

It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.

References

www.securityfocus.com/bid/96980
github.com/advisories/GHSA-2cm5-f78c-h2c8
jenkins.io/security/advisory/2017-03-20/
nvd.nist.gov/vuln/detail/CVE-2017-2652

Code Behaviors & Features

Detect and mitigate CVE-2017-2652 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →