Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2022-44644 Vulnerability in maven package org.apache.linkis:linkis-metadata-query-service-jdbc

CVE-2022-25312 Vulnerability in maven package org.apache.any23:apache-any23

CVE-2023-46233 Vulnerability in maven package org.webjars.bowergithub.brix:crypto-js

CVE-2020-1938 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2023-29510 Vulnerability in maven package org.xwiki.platform:xwiki-platform-localization-source-wiki

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other