Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2022-42252 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-10776 Vulnerability in maven package org.keycloak:keycloak-parent

CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core

CVE-2011-1026 Vulnerability in maven package org.apache.archiva:archiva

CVE-2007-4556 Vulnerability in maven package opensymphony:xwork

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other