Description
It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
Remediation
References
https://jenkins.io/security/advisory/2017-03-20/
http://www.securityfocus.com/bid/96980
Related Vulnerabilities
CVE-2018-8027 Vulnerability in maven package org.apache.camel:camel-core
CVE-2023-40351 Vulnerability in maven package org.jenkins-ci.plugins:favorite-view
CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.11
CVE-2022-31172 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable
CVE-2019-10365 Vulnerability in maven package org.jenkins-ci.plugins:google-kubernetes-engine