Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2022-37866 Vulnerability in maven package org.apache.ivy:ivy

CVE-2022-22932 Vulnerability in maven package org.apache.karaf:apache-karaf

CVE-2023-24458 Vulnerability in maven package org.jenkins-ci.plugins:bearychat

CVE-2017-2652 Vulnerability in maven package org.jvnet.hudson.plugins:distfork

CVE-2019-1003073 Vulnerability in maven package org.jenkins-ci.plugins:vsts-cd

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other