Description
Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators.
Remediation
References
https://jenkins.io/security/advisory/2017-12-06/
Related Vulnerabilities
CVE-2020-2121 Vulnerability in maven package org.jenkins-ci.plugins:google-kubernetes-engine
CVE-2023-48238 Vulnerability in npm package json-web-token
CVE-2020-5408 Vulnerability in maven package org.springframework.security:spring-security-crypto
CVE-2023-31469 Vulnerability in maven package org.apache.streampipes:streampipes-rest
CVE-2023-46998 Vulnerability in maven package org.webjars.bowergithub.makeusabrew:bootbox