Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.jenkins-ci.plugins/script-security@1.49

Type maven

Namespace org.jenkins-ci.plugins

Name script-security

Version 1.49

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.51

Latest_non_vulnerable_version 1229.v4880b_b_e905a_6

Affected_by_vulnerabilities

url VCID-18m7-m66g-w3ae

vulnerability_id VCID-18m7-m66g-w3ae

summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

references

reference_url	http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
reference_id
reference_type
scores
url	http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html

reference_url	https://access.redhat.com/errata/RHBA-2019:0326
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHBA-2019:0326

reference_url	https://access.redhat.com/errata/RHBA-2019:0327
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHBA-2019:0327

reference_url	https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642
reference_id
reference_type
scores
url	https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642

reference_url	https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c
reference_id
reference_type
scores
url	https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c

reference_url	https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742
reference_id
reference_type
scores
url	https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742

reference_url	https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
reference_id
reference_type
scores
url	https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

reference_url	https://www.exploit-db.com/exploits/46572/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/46572/

reference_url	http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
reference_id
reference_type
scores
url	http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-1003001
reference_id	CVE-2019-1003001
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-1003001

reference_url	https://github.com/advisories/GHSA-6q78-6xvr-26fg
reference_id	GHSA-6q78-6xvr-26fg
reference_type
scores
url	https://github.com/advisories/GHSA-6q78-6xvr-26fg

fixed_packages

url pkg:maven/org.jenkins-ci.plugins/script-security@1.50

purl pkg:maven/org.jenkins-ci.plugins/script-security@1.50

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4eeq-ksy7-ekak

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1.50

aliases CVE-2019-1003001, GHSA-6q78-6xvr-26fg

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-18m7-m66g-w3ae

url VCID-v7j3-7gar-13ct

vulnerability_id VCID-v7j3-7gar-13ct

summary

Code Injection
A sandbox bypass vulnerability exists in Script Security Plugin that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

references

reference_url	https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
reference_id
reference_type
scores
url	https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

reference_url	https://www.exploit-db.com/exploits/46453/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/46453/

reference_url	https://www.exploit-db.com/exploits/46572/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/46572/

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2019-1003000
reference_id	CVE-2019-1003000
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2019-1003000

fixed_packages

url pkg:maven/org.jenkins-ci.plugins/script-security@1.50

purl pkg:maven/org.jenkins-ci.plugins/script-security@1.50

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4eeq-ksy7-ekak

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1.50

aliases CVE-2019-1003000

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v7j3-7gar-13ct

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1.49

Package Instance