Circumvention Vulnerability in Jenkins Script Security Plugin by CloudBees
CVE-2020-2110

8.8HIGH

Key Information:

Vendor
Jenkins
Status
Jenkins Script Security Plugin
Vendor
CVE Published:
12 February 2020

Summary

The Jenkins Script Security Plugin prior to version 1.70 is vulnerable to sandbox protection circumvention. Attackers can exploit this flaw during the script compilation phase by leveraging AST (Abstract Syntax Tree) transforming annotations on imports or embedding these annotations within others. This undermines the security model expected in Jenkins, allowing potentially harmful scripts to bypass protective barriers, putting systems at risk.

Affected Version(s)

Jenkins Script Security Plugin <= 1.69

References

https://jenkins.io/security/advisory/2020-02-12/#SECURITY...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/02/12/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.