CVE-2019-10458 – org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline

Package

Manager: maven
Name: org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline
Vulnerable Version: >=0 <=1.3.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00326 pctl0.54918

Details

Incorrect Authorization in Puppet Enterprise Pipeline Jenkins Plugin Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Metadata

Created: 2022-05-24T16:58:51Z
Modified: 2022-09-08T19:49:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mj9c-vjp9-pggh/GHSA-mj9c-vjp9-pggh.json
CWE IDs: ["CWE-183", "CWE-863"]
Alternative ID: GHSA-mj9c-vjp9-pggh
Finding: F067
Auto approve: 1