Description

Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-922

Related Vulnerabilities

CVE-2021-33587 Vulnerability in npm package css-what

CVE-2022-43410 Vulnerability in maven package org.jenkins-ci.plugins:mercurial

CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.10

CVE-2019-1003089 Vulnerability in maven package ren.helloworld:upload-pgyer

CVE-2020-28499 Vulnerability in npm package merge

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-Other