CVE-2018-1000146
First published: Thu Apr 05 2018(Updated: )
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Liquibase Runner | <=1.3.0 | |
| maven/org.jenkins-ci.plugins:liquibase-runner | <1.4.3 | 1.4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000146
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/1817af0b5bb17e690d89c0a1623de8bd47f8c1a1
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/382a1ea84910db28a88089306b24d1e80818f0a5
- https://github.com/jenkinsci/liquibase-runner-plugin/commit/7726ce4569a287e32fbda6f01ad2846ada909436
- https://github.com/advisories/GHSA-3hvc-xwjp-xr8m (Advisory)
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-3hvc-xwjp-xr8m
- alias/CVE-2018-1000146
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- agent/description
- agent/trending
- vendor/jenkins
- canonical/jenkins liquibase runner
- version/jenkins liquibase runner/1.3.0
- package-manager/maven