Based on the description, it is inferred that the Jenkins OWASP ZAP Plugin versions 1.0.7 and earlier performed build tasks on the Jenkins controller rather than on a dedicated agent. This design flaw permits an attacker who has the Item/Configure privilege to trigger arbitrary code execution on the controller machine. Because the controller often runs with elevated privileges, an exploit yields full compromise of the Jenkins environment, enabling the attacker to tamper with builds, exfiltrate data, or pivot to other systems integrated with Jenkins. This issue effectively escalates a locally authenticated privilege to a remote code execution vector on the control plane.

The vulnerability affects the Jenkins Project’s OWASP ZAP Plugin, specifically versions 1.0.7 and prior. The affected environment is the Jenkins continuous integration controller that hosts the plugin.

Based on the description, it is inferred that the CVSS score is not supplied, but the nature of the flaw—arbitrary code execution under Item/Configure permission—implies a high severity, potentially an 8–10. The EPSS score is unavailable, so the likelihood of exploitation in the wild cannot be quantified, but due to the critical role of Jenkins in many pipelines and the common delegation of Item/Configure rights, the risk is significant. The CISA KEV catalog does not list this vulnerability, so no public exploits have been reported yet. The probable attack vector requires authenticated access to the Jenkins instance with sufficient configuration rights; hence, organizations that limit those permissions can reduce the exposure. Nonetheless, the capability to run arbitrary commands on the controller provides a powerful attack surface that should be mitigated promptly.