Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zaHZjLXh3anAteHI4bc4AASkb
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.
Permalink: https://github.com/advisories/GHSA-3hvc-xwjp-xr8mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zaHZjLXh3anAteHI4bc4AASkb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3hvc-xwjp-xr8m, CVE-2018-1000146
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000146
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/1817af0b5bb17e690d89c0a1623de8bd47f8c1a1
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/382a1ea84910db28a88089306b24d1e80818f0a5
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/7726ce4569a287e32fbda6f01ad2846ada909436
- https://github.com/advisories/GHSA-3hvc-xwjp-xr8m
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:liquibase-runner
Affected Version Ranges: < 1.4.3Fixed in: 1.4.3