Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10328

Опубликовано: 31 мая 2019
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

A flaw was found in the Jenkins Workflow Remote Loader plugin. An unsafe whitelist entry was made that allowed invoking arbitrary methods and bypassing sandbox protection. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.10jenkins-plugin-workflow-remote-loaderWill not fix
Red Hat OpenShift Container Platform 3.6jenkins-plugin-workflow-remote-loaderWill not fix
Red Hat OpenShift Container Platform 3.7jenkins-plugin-workflow-remote-loaderWill not fix
Red Hat OpenShift Container Platform 3.9jenkins-plugin-workflow-remote-loaderWill not fix
Red Hat OpenShift Container Platform 3.11atomic-enterprise-service-catalogFixedRHBA-2019:160526.06.2019
Red Hat OpenShift Container Platform 3.11atomic-openshift-cluster-autoscalerFixedRHBA-2019:160526.06.2019
Red Hat OpenShift Container Platform 3.11atomic-openshift-deschedulerFixedRHBA-2019:160526.06.2019
Red Hat OpenShift Container Platform 3.11atomic-openshift-dockerregistryFixedRHBA-2019:160526.06.2019
Red Hat OpenShift Container Platform 3.11atomic-openshift-metrics-serverFixedRHBA-2019:160526.06.2019
Red Hat OpenShift Container Platform 3.11atomic-openshift-node-problem-detectorFixedRHBA-2019:160526.06.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-184
https://bugzilla.redhat.com/show_bug.cgi?id=1716794jenkins-plugin-workflow-remote-loader: Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin (SECURITY-921)

EPSS

Процентиль: 51%
0.00282
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2019-10328

CVSS3: 9.9
nvd
больше 6 лет назад

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection.

github логотип

GHSA-v558-fhw2-v46w

CVSS3: 9.9
github
больше 3 лет назад

Unsafe entry in Script Security list of approved signatures in Pipeline Remote Loader Plugin

fstec логотип

BDU:2019-02523

CVSS3: 9.9
fstec
больше 6 лет назад

Уязвимость плагина Jenkins Pipeline Remote Loader, связанная с недостатками механизма защиты данных, позволяющая нарушителю обойти ограничения песочницы

EPSS

Процентиль: 51%
0.00282
Низкий

8.8 High

CVSS3