The Jenkins Credentials Binding Plugin, versions up to 720.v3f6decef43ea_, contains a CWE‑20 (Improper Input Validation) flaw where file and zip file credential names are not sanitized. This flaw allows an attacker who can supply credentials for a job to create arbitrary files on the node’s filesystem, potentially writing executable code. The vulnerability is significant because if the job runs on the built‑in node and a low‑privileged user is allowed to configure such credentials, the attacker can gain remote code execution on the Jenkins host. Based on the description, it is inferred that the attacker must be authenticated and have permission to add or modify file or zip file credentials for the target job.

The affected product is the Jenkins Credentials Binding Plugin from the Jenkins Project, specifically any release at or before version 720.v3f6decef43ea_. Exploitation requires the ability to add or modify file or zip file credentials for a job that executes on the built‑in node. The issue is irrelevant if users cannot supply these credentials or if the Jenkins instance disables low‑privileged credential configuration.

The flaw carries a CVSS score of 7.5, indicating high severity. The EPSS score is now reported as <1%, indicating a very low likelihood of exploitation in the current threat landscape. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated user with permission to supply job credentials; once a malicious filename is injected, the job will write a file that can be executed on the node. Successful exploitation would result in full remote code execution on the Jenkins host.