CVE-2019-10458

Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
jenkinspuppet_enterprise_pipeline
𝑥
≤ 1.3.1
𝑥
= Vulnerable software versions
References
https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918
https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918