CVE-2019-10380
First published: Wed Aug 07 2019(Updated: )
Jenkins Simple Travis Pipeline Runner Plugin 1.0 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Simple Travis Pipeline Runner | <=1.0 | |
| maven/org.jenkins-ci.plugins:simple-travis-runner | <=1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-10380?
CVE-2019-10380 is a vulnerability in the Jenkins Simple Travis Pipeline Runner Plugin that allows the bypass of Script Security sandbox protection.
What is the severity of CVE-2019-10380?
The severity of CVE-2019-10380 is rated as high with a CVSS score of 8.8.
Which software is affected by CVE-2019-10380?
Jenkins Simple Travis Pipeline Runner Plugin version 1.0 and earlier is affected by CVE-2019-10380.
How can CVE-2019-10380 be exploited?
CVE-2019-10380 can be exploited by using custom pre-approved signatures to bypass the Script Security sandbox protection in the plugin.
Are there any references available for CVE-2019-10380?
Yes, you can refer to the following links for more information about CVE-2019-10380: [Link 1](http://www.openwall.com/lists/oss-security/2019/08/07/1), [Link 2](https://jenkins.io/security/advisory/2019-08-07/#SECURITY-922), [Link 3](https://nvd.nist.gov/vuln/detail/CVE-2019-10380).
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-x7p9-vx6v-wv84
- alias/CVE-2019-10380
- collector/github-advisory
- collector/nvd-cve
- vendor/jenkins
- canonical/jenkins simple travis pipeline runner
- version/jenkins simple travis pipeline runner/1.0
- package-manager/maven