Description

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.

Remediation

References

https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519

Related Vulnerabilities

CVE-2021-21277 Vulnerability in maven package org.webjars.npm:angular-expressions

CVE-2022-34192 Vulnerability in maven package org.jenkins-ci.plugins:ontrack

CVE-2022-34183 Vulnerability in maven package io.jenkins.plugins:agent-server-parameter

CVE-2014-0109 Vulnerability in maven package org.apache.cxf:cxf-bundle

CVE-2022-45380 Vulnerability in maven package org.jenkins-ci.plugins:junit

Severity

Critical

Classification

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-noinfo