CVE-2019-10380 – org.jenkins-ci.plugins:simple-travis-runner

Package

Manager: maven
Name: org.jenkins-ci.plugins:simple-travis-runner
Vulnerable Version: >=0 <=1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00248 pctl0.47908

Details

Jenkins Simple Travis Pipeline Runner Plugin script sandbox bypass vulnerability Jenkins Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-05-24T16:52:46Z
Modified: 2023-10-26T22:51:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x7p9-vx6v-wv84/GHSA-x7p9-vx6v-wv84.json
CWE IDs: []
Alternative ID: GHSA-x7p9-vx6v-wv84
Finding: F422
Auto approve: 1