CVE-2022-20617: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

January 12, 2022 (updated November 22, 2023)

Jenkins Docker Commons Plugin does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

References

www.openwall.com/lists/oss-security/2022/01/12/6
nvd.nist.gov/vuln/detail/CVE-2022-20617
www.jenkins.io/security/advisory/2022-01-12/

Detect and mitigate CVE-2022-20617 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →