Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2021-31405 Vulnerability in maven package com.vaadin:vaadin-text-field-flow

CVE-2018-15494 Vulnerability in maven package org.webjars.bower:dojox

CVE-2023-31125 Vulnerability in maven package org.webjars.npm:engine.io

CVE-2022-34784 Vulnerability in maven package org.jenkins-ci.plugins:build-metrics

CVE-2021-20250 Vulnerability in maven package org.jboss:jboss-ejb-client

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other