Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2017-17068 Vulnerability in maven package org.webjars.npm:auth0-js

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-authorizer

CVE-2019-10341 Vulnerability in maven package io.jenkins.docker:docker-plugin

CVE-2014-9635 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-44548 Vulnerability in maven package org.apache.solr:solr-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other