Main Vulnerability Database Vulnerabilities #VU22160

#VU22160 Permissions, Privileges, and Access Controls in Puppet Enterprise Pipeline - CVE-2019-10458

Published: October 22, 2019

Vulnerability identifier: #VU22160

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2019-10458

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Puppet Enterprise Pipeline

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the affected plugin specifies unsafe values in its custom Script Security whitelist. A remote authenticated attacker can bypass Script Security sandbox protection and execute arbitrary code on any Jenkins instance with this plugin installed.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918