Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2023-24444 Vulnerability in maven package org.jenkins-ci.plugins:openid

CVE-2018-15685 Vulnerability in npm package electron

CVE-2019-10410 Vulnerability in maven package org.jenkins-ci.plugins:log-parser

CVE-2017-16047 Vulnerability in npm package mysqljs

CVE-2020-2280 Vulnerability in maven package io.jenkins.plugins:warnings-ng

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other