Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM

2022-05-1301:48:33

Google

osv.dev

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.3%

JSON

An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.

CPENameOperatorVersion
org.jenkins-ci.plugins:liquibase-runnereq1.2.1
org.jenkins-ci.plugins:liquibase-runnereq1.0.1
org.jenkins-ci.plugins:liquibase-runnereq1.4.2
org.jenkins-ci.plugins:liquibase-runnereq1.0.0
org.jenkins-ci.plugins:liquibase-runnereq1.3.0
org.jenkins-ci.plugins:liquibase-runnereq1.1.0
org.jenkins-ci.plugins:liquibase-runnereq1.2.0
org.jenkins-ci.plugins:liquibase-runnereq1.0.2

Name	Operator	Version
org.jenkins-ci.plugins:liquibase-runner	eq	1.2.1
org.jenkins-ci.plugins:liquibase-runner	eq	1.0.1
org.jenkins-ci.plugins:liquibase-runner	eq	1.4.2
org.jenkins-ci.plugins:liquibase-runner	eq	1.0.0
org.jenkins-ci.plugins:liquibase-runner	eq	1.3.0
org.jenkins-ci.plugins:liquibase-runner	eq	1.1.0
org.jenkins-ci.plugins:liquibase-runner	eq	1.2.0
org.jenkins-ci.plugins:liquibase-runner	eq	1.0.2