Description

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2015-1844.html

https://access.redhat.com/errata/RHSA-2016:0070

https://bugzilla.redhat.com/show_bug.cgi?id=1205620

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27

Related Vulnerabilities

CVE-2017-12620 Vulnerability in maven package org.apache.opennlp:opennlp-tools

CVE-2020-2274 Vulnerability in maven package org.jenkins-ci.plugins:elastestv

CVE-2022-34870 Vulnerability in maven package org.apache.geode:geode-pulse

CVE-2022-34188 Vulnerability in maven package org.jenkins-ci.plugins:hidden-parameter

CVE-2011-5063 Vulnerability in maven package tomcat:catalina

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory