CVE-2019-10458 – This vulnerability in Jenkins Puppet Enterprise... (How to Fix)

Q: What is the severity of CVE-2019-10458?

CVE-2019-10458 has a CVSS score of 9.9 (CRITICAL). This vulnerability in Jenkins Puppet Enterprise Pipeline plugin allows attackers with Script Security script execution permissions to bypass sandbox restrictions and execute arbitrary code on the Jenkins controller. It affects Jenkins installations using Puppet Enterprise Pipeline plugin version 1.3.1 and earlier. Attackers need existing script execution privileges to exploit this flaw.

📋 TL;DR

This vulnerability in Jenkins Puppet Enterprise Pipeline plugin allows attackers with Script Security script execution permissions to bypass sandbox restrictions and execute arbitrary code on the Jenkins controller. It affects Jenkins installations using Puppet Enterprise Pipeline plugin version 1.3.1 and earlier. Attackers need existing script execution privileges to exploit this flaw.

💻 Affected Systems

Products:

Jenkins Puppet Enterprise Pipeline Plugin

Versions: 1.3.1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with Puppet Enterprise Pipeline plugin installed. Attackers need 'Run Scripts' permission in Script Security to exploit.

📦 What is this software?

Puppet Enterprise Pipeline by Jenkins

View all CVEs affecting Puppet Enterprise Pipeline →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Jenkins controller with arbitrary code execution, leading to complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Privileged attackers with script execution rights can execute arbitrary code on Jenkins controller, potentially gaining persistent access and compromising build pipelines.

🟢

If Mitigated

With proper access controls limiting script execution to trusted users only, impact is reduced to authorized users potentially misusing their privileges.

🌐 Internet-Facing: HIGH if Jenkins is internet-facing and attackers can authenticate or find credential leaks, as they could then exploit this vulnerability.

🏢 Internal Only: HIGH for internal Jenkins instances, as attackers with internal access or compromised credentials can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with script execution permissions. The vulnerability is in the plugin's custom whitelist that allows unsafe Groovy script execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2 or later

Vendor Advisory: https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918

Restart Required: Yes

Instructions:

1. Update Jenkins Puppet Enterprise Pipeline plugin to version 1.3.2 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify plugin version in Manage Jenkins > Manage Plugins > Installed tab.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable Puppet Enterprise Pipeline plugin if immediate patching isn't possible

Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'Puppet Enterprise Pipeline' and click 'Disable'

Restrict script execution permissions

all

Tighten Script Security permissions to limit who can execute scripts

Navigate to Manage Jenkins > Configure Global Security > Script Security, review and restrict 'Run Scripts' permissions

🧯 If You Can't Patch

Remove or disable Puppet Enterprise Pipeline plugin entirely
Implement strict access controls to limit script execution to only absolutely necessary trusted users

🔍 How to Verify

Check if Vulnerable:

Check installed plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for 'Puppet Enterprise Pipeline' plugin version.

Check Version:

curl -s http://jenkins-url/pluginManager/api/json?depth=1 | grep -o '"shortName":"puppet-enterprise-pipeline","version":"[^"]*"'

Verify Fix Applied:

Verify plugin version is 1.3.2 or later in Manage Jenkins > Manage Plugins > Installed tab.

📡 Detection & Monitoring

Log Indicators:

Unusual Groovy script execution in Jenkins logs
Script Security sandbox bypass attempts
Plugin update/installation activity

Network Indicators:

Unusual outbound connections from Jenkins controller
Unexpected process execution on Jenkins host

SIEM Query:

source="jenkins.log" AND ("Script Security" OR "sandbox" OR "puppet-enterprise-pipeline") AND ("bypass" OR "unsafe" OR "whitelist")

📊 Metadata

CVE ID: CVE-2019-10458

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Published: October 16, 2019

Last Updated: November 21, 2024

🔗 References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918 Vendor Advisory
https://jenkins.io/security/advisory/2019-10-16/#SECURITY-918 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON