Sandbox Bypass Vulnerability in Jenkins Script Security Plugin by Jenkins
CVE-2019-10356

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Script Security Plugin
Vendor
CVE Published:
31 July 2019

What is CVE-2019-10356?

The Jenkins Script Security Plugin prior to version 1.62 is vulnerable to a sandbox bypass that allows attackers to execute arbitrary code within scripts that are intended to be sandboxed. This flaw stems from improper handling of method pointer expressions, which could be exploited by a malicious actor to execute unauthorized commands, bypassing security restrictions designed to limit script execution in a contained environment. It is crucial for users to update to the latest version of the plugin to mitigate potential security risks.

Affected Version(s)

Jenkins Script Security Plugin 1.61 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/31/1
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:2651
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2594
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.