Sandbox Bypass Vulnerability in Jenkins Script Security Plugin Allows Arbitrary Code Execution
CVE-2024-34145

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Script Security Plugin
Vendor: CVE Published:; 2 May 2024

Summary

A critical sandbox bypass vulnerability exists in the Jenkins Script Security Plugin that affects versions up to 1335.vf07d9ce377a_e. This vulnerability allows attackers with permissions to define and execute sandboxed scripts—such as Pipelines—to bypass the security measures in place. By exploiting this flaw, attackers can run arbitrary code within the context of the Jenkins controller JVM, thereby compromising the integrity of the Jenkins environment. It is crucial for users of affected versions to apply necessary updates and patches to mitigate risks.

Affected Version(s)

Jenkins Script Security Plugin 0 <= 1335.vf07d9ce377a_e

References

https://www.jenkins.io/security/advisory/2024-05-02/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/05/02/3

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 30, 2024