Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zaHZjLXh3anAteHI4bc4AASkb

Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.

Permalink: https://github.com/advisories/GHSA-3hvc-xwjp-xr8m
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zaHZjLXh3anAteHI4bc4AASkb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago

CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-3hvc-xwjp-xr8m, CVE-2018-1000146
References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-1000146
• https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
• https://github.com/jenkinsci/liquibase-runner-plugin/commit/1817af0b5bb17e690d89c0a1623de8bd47f8c1a1
• https://github.com/jenkinsci/liquibase-runner-plugin/commit/382a1ea84910db28a88089306b24d1e80818f0a5
• https://github.com/jenkinsci/liquibase-runner-plugin/commit/7726ce4569a287e32fbda6f01ad2846ada909436
• https://github.com/advisories/GHSA-3hvc-xwjp-xr8m

Repository: https://github.com/jenkinsci/liquibase-runner-plugin
Blast Radius: 1.0

Affected Packages