Sandbox Bypass Vulnerability in Jenkins Script Security Plugin
CVE-2020-2279

9.9CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Script Security Plugin
Vendor: CVE Published:; 23 September 2020

Summary

A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin versions 1.74 and earlier. This flaw permits attackers who have the authority to define sandboxed scripts to send crafted return values or manipulate script binding content, potentially leading to arbitrary code execution on the Jenkins controller Java Virtual Machine (JVM). Prompt updating to patched versions is recommended to mitigate risks associated with this vulnerability.

Affected Version(s)

Jenkins Script Security Plugin <= 1.74

Jenkins Script Security Plugin 1.66.5

References

https://www.jenkins.io/security/advisory/2020-09-23/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/23/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Sep 23, 2020
Vulnerability Reserved
Dec 5, 2019