Description

Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-922

Related Vulnerabilities

CVE-2020-1935 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2019-10373 Vulnerability in maven package org.jenkins-ci.plugins:build-pipeline-plugin

CVE-2021-46063 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http-core

CVE-2020-6423 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-Other