CVE-2018-1000146 – org.jenkins-ci.plugins:liquibase-runner

Package

Manager: maven
Name: org.jenkins-ci.plugins:liquibase-runner
Vulnerable Version: >=0 <1.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0024 pctl0.47198

Details

Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.

Metadata

Created: 2022-05-13T01:48:33Z
Modified: 2023-12-15T15:25:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3hvc-xwjp-xr8m/GHSA-3hvc-xwjp-xr8m.json
CWE IDs: []
Alternative ID: GHSA-3hvc-xwjp-xr8m
Finding: F184
Auto approve: 1