Sandbox Bypass Vulnerability in Jenkins Script Security Plugin
CVE-2023-24422

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Script Security Plugin
Vendor: CVE Published:; 26 January 2023

Summary

A significant vulnerability affects the Jenkins Script Security Plugin, enabling attackers with the right permissions to circumvent sandbox limitations. Through the manipulation of map constructors, they can execute arbitrary code within the Jenkins controller JVM. This presents a serious threat to the integrity and security of the Jenkins installation, potentially compromising sensitive data and workflows. It is essential for users to implement available safeguards and updates to protect against this exploit.

Affected Version(s)

Jenkins Script Security Plugin <= 1228.vd93135a_2fb_25

Jenkins Script Security Plugin 1175.1180.v36a_3fb_2dec9c

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECU...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 23, 2023