We use cookies to improve your experience on our site.
AVID-2026-R0938
Description
Vulnerability CVE-2022-20617
Details
Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.
Reason for inclusion in AVID: CVE-2022-20617 describes an OS command execution vulnerability in the Jenkins Docker Commons Plugin due to unsanitized image/tag names. This plugin is commonly used in CI/CD pipelines for building/deploying containerized artifacts, including those used in AI/ML workflows. As such, it is a software supply chain issue affecting components used to build, package, deploy, or run AI systems (CI/CD, artifact pipelines), and it represents a security vulnerability with potential remote code execution. The evidence in the report supports all required aspects.
References
- NVD entry
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1878
- http://www.openwall.com/lists/oss-security/2022/01/12/6
Affected or Relevant Artifacts
- Developer: Jenkins project
- Deployer: Jenkins project
- Artifact Details:
| Type | Name |
|---|---|
| System | Jenkins Docker Commons Plugin |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-01-12
- Version: 0.3.3
- AVID Entry