Description

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Related Vulnerabilities

CVE-2023-29207 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2022-31684 Vulnerability in maven package io.projectreactor.netty:reactor-netty-http

CVE-2022-28220 Vulnerability in maven package org.apache.james.protocols:protocols-netty

CVE-2020-6467 Vulnerability in maven package org.webjars.npm:electron

CVE-2020-11009 Vulnerability in maven package org.rundeck:rundeck

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-Other