Description
An arbitrary code execution vulnerability exists in Liquibase Runner Plugin version 1.3.0 and older that allows an attacker with permission to configure jobs to load and execute arbitrary code on the Jenkins master JVM.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
Scores
CVSS v3
8.8
EPSS
0.0023
EPSS Percentile
45.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (2)
jenkins/liquibase_runner
< 1.3.0
org.jenkins-ci.plugins/liquibase-runner
0 - 1.4.3Maven
Published
Apr 05, 2018
Tracked Since
Feb 18, 2026