Description

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2015-1844.html

https://access.redhat.com/errata/RHSA-2016:0070

https://bugzilla.redhat.com/show_bug.cgi?id=1205620

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27

Related Vulnerabilities

CVE-2017-1000392 Vulnerability in maven package org.jenkins-ci.main:jenkins-war

CVE-2023-49804 Vulnerability in npm package uptime-kuma

CVE-2023-45820 Vulnerability in npm package directus

CVE-2023-4302 Vulnerability in maven package org.jenkins-ci.plugins:fortify

CVE-2021-22096 Vulnerability in maven package org.springframework:spring-core

Severity

Critical

Classification

CWE-264

Tags

Vendor Advisory