Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2018-1000401 Vulnerability in maven package org.jenkins-ci.plugins:aws-codepipeline

CVE-2022-46683 Vulnerability in maven package org.jenkins-ci.plugins:google-login

CVE-2023-29529 Vulnerability in npm package matrix-js-sdk

CVE-2018-12536 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2023-48309 Vulnerability in npm package next-auth

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other