Description

Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-922

Related Vulnerabilities

CVE-2022-31129 Vulnerability in maven package org.webjars.bowergithub.moment:moment

CVE-2020-28502 Vulnerability in npm package xmlhttprequest-ssl

CVE-2022-43403 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2018-20821 Vulnerability in maven package org.webjars.npm:node-sass

CVE-2013-4002 Vulnerability in maven package xerces:xercesimpl

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-Other