Description

Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-922

http://www.openwall.com/lists/oss-security/2019/08/07/1

Related Vulnerabilities

CVE-2022-25179 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-multibranch

CVE-2023-28443 Vulnerability in npm package directus

CVE-2022-36899 Vulnerability in maven package com.compuware.jenkins:compuware-ispw-operations

CVE-2023-26049 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2021-25122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory NVD-CWE-Other