Page 29 of 208 results (0.011 seconds)

CVSS: 9.9EPSS: 9%CPEs: 2EXPL: 1

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en Jenkins Pipeline: Groovy Plugin, en versiones 2.63 y anteriores en pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java, permite a los atacantes capacitados para controlar los scripts de tuberías ejecutar código arbitrario en el maestro JVM de Jenkins. A flaw was found in the Jenkins Workflow CPS plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and integrity as well as system availability. • https://www.exploit-db.com/exploits/48904 http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html http://www.securityfocus.com/bid/107476 https://access.redhat.com/errata/RHSA-2019:0739 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29 https://access.redhat.com/security/cve/CVE-2019-1003030 https://bugzilla.redhat.com/show_bug.cgi?id=1690665 • CWE-20: Improper Input Validation •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 1

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en la versión 1.53 y anteriores en src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, que permite a los atacantes con permisos de "Overall/Read" ejecutar código arbitrario en el maestro JVM de Jenkins. A flaw was found in the Jenkins Script Security plugin version 1.53. An attacker with Overall/Read permissions is able to escape the sandbox and execute arbitrary code on the Jenkins master JVM. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • https://github.com/orangetw/awesome-jenkins-rce-2019 http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html http://www.securityfocus.com/bid/107476 https://access.redhat.com/errata/RHSA-2019:0739 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%281%29 https://access.redhat.com/security/cve/CVE-2019-1003029 https://bugzilla.redhat.com/show_bug.cgi?id=1689873 https://jenkins.io/security/advisory/2019-01-08 https://blog.orange.tw/2019/01& • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en el plugin Jenkins Matrix Project, en versiones 1.13 y anteriores, en pom.xml, src/main/java/hudson/matrix/FilterScript.java, que permite a los atacantes con permisos de "Job/Configure" ejecutar código arbitrario en el maestro JVM de Jenkins. A flaw was found in the Jenkins Matrix Project plugin version 1.13. An attacker with Job/Configure permission can bypass the sandbox and can execute arbitrary code on the Jenkins master JVM. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.securityfocus.com/bid/107476 https://access.redhat.com/errata/RHSA-2019:0739 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1339 https://access.redhat.com/security/cve/CVE-2019-1003031 https://bugzilla.redhat.com/show_bug.cgi?id=1689886 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en el plugin Jenkins Job DSL, en versiones 1.71 y anteriores, en job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy y job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy que permite a los atacantes con control sobre las definiciones DSL "Job" ejecutar código arbitrario en el maestro JVM de Jenkins. A flaw was found in the Jenkins Job DSL plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.securityfocus.com/bid/107476 https://access.redhat.com/errata/RHSA-2019:0739 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1342 https://access.redhat.com/security/cve/CVE-2019-1003034 https://bugzilla.redhat.com/show_bug.cgi?id=1690663 • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. Existe una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en versiones 1.52 y anteriores, en RejectASTTransformsCustomizer.java, que permite que los atacantes con permisos Overall/Read proporcionen un script de Groovy a un endpoint HTTP que puede resultar en la ejecución de código arbitrario en el JVM maestro de Jenkins. A flaw was found in the Jenkins script security sandbox. The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab could be circumvented through use of various Groovy language features including the use of AnnotationCollector, import aliasing, and referencing annotation types using their full class name. This allows users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. • http://www.securityfocus.com/bid/107295 https://access.redhat.com/errata/RHSA-2019:0739 https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320 https://access.redhat.com/security/cve/CVE-2019-1003024 https://bugzilla.redhat.com/show_bug.cgi?id=1684556 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •