Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2023-46131 Vulnerability in maven package org.grails:grails-encoder

CVE-2020-2321 Vulnerability in maven package org.jenkins-ci.plugins:shelve-project-plugin

CVE-2021-21179 Vulnerability in npm package electron

CVE-2020-2170 Vulnerability in maven package org.jenkins-ci.plugins:rapiddeploy-jenkins

CVE-2018-17145 Vulnerability in npm package bcoin

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other