{"id":"CVE-2022-20617","details":"Jenkins Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag, resulting in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job's SCM repository.","aliases":["GHSA-jpxj-vgq5-prjc"],"modified":"2026-03-14T14:53:00.404795Z","published":"2022-01-12T20:15:08.907Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/01/12/6"},{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1878"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/docker-commons-plugin","events":[{"introduced":"0"},{"last_affected":"2f0fda49452a7653c33de24220c908786f1aa405"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.17"}]}}],"versions":["docker-commons-1.0","docker-commons-1.0-alpha-1","docker-commons-1.0-alpha-10","docker-commons-1.0-alpha-11","docker-commons-1.0-alpha-12","docker-commons-1.0-alpha-13","docker-commons-1.0-alpha-14","docker-commons-1.0-alpha-2","docker-commons-1.0-alpha-3","docker-commons-1.0-alpha-4","docker-commons-1.0-alpha-5","docker-commons-1.0-alpha-6","docker-commons-1.0-alpha-7","docker-commons-1.0-alpha-8","docker-commons-1.0-alpha-9","docker-commons-1.0-beta-1","docker-commons-1.1","docker-commons-1.10","docker-commons-1.11","docker-commons-1.12","docker-commons-1.13","docker-commons-1.14","docker-commons-1.15","docker-commons-1.16","docker-commons-1.17","docker-commons-1.2","docker-commons-1.3","docker-commons-1.3.1","docker-commons-1.4.0","docker-commons-1.4.1","docker-commons-1.5","docker-commons-1.6","docker-commons-1.7","docker-commons-1.8","docker-commons-1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-20617.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}