CVE-2020-2159: 
Java vulnerability analysis and mitigation

Jenkins CryptoMove Plugin version 0.1.33 and earlier contains a critical OS command injection vulnerability identified as CVE-2020-2159. The vulnerability was discovered by Wasin Saengow and publicly disclosed on March 9, 2020. This security flaw affects the Jenkins CryptoMove Plugin, which is a Jenkins automation server component (Jenkins Advisory, OSS Security).

The vulnerability allows attackers with Job/Configure permission to execute arbitrary OS commands on the Jenkins master node. The commands are executed with the same privileges as the OS user account running Jenkins. The vulnerability has been assigned a severity rating of High according to the CVSS scoring system. The issue stems from the plugin's build step configuration which permits the configuration of OS commands without proper validation or sanitization (Jenkins Advisory).

The vulnerability enables attackers with Job/Configure permissions to execute arbitrary operating system commands on the Jenkins master node with the same privileges as the Jenkins service account. This could potentially lead to complete system compromise, data theft, service disruption, or use of the Jenkins server for further attacks (NVD).

As of the advisory publication date, no official fix has been released for this vulnerability. Organizations using the CryptoMove Plugin version 0.1.33 or earlier should consider disabling the plugin or restricting Job/Configure permissions to trusted users only until a patch becomes available (Jenkins Advisory).