Jenkins Puppet Enterprise Pipeline 1.3.1 and earlier specifies unsafe values in its custom Script Security whitelist, allowing attackers able to execute Script Security protected scripts to execute arbitrary code.

Affected Packages

Maven org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline

Affected versions: 0 (last affected: 1.3.1)

Related CVEs

CVE-2019-10458

Key Information

GHSA ID

GHSA-mj9c-vjp9-pggh

Published

May 24, 2022 4:58 PM

Last Modified

September 8, 2022 7:49 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins.workflow:puppet-enterprise-pipeline

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.