Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NnFqLTlnd2gtcHZ2M84AAxJ8
Sandbox bypass in Jenkins Script Security Plugin
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Permalink: https://github.com/advisories/GHSA-76qj-9gwh-pvv3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NnFqLTlnd2gtcHZ2M84AAxJ8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-76qj-9gwh-pvv3, CVE-2023-24422
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-24422
- https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016
- https://github.com/jenkinsci/script-security-plugin/commit/4880bbe905a6783d80150c8b881d0127430d4a73
- https://github.com/advisories/GHSA-76qj-9gwh-pvv3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: < 1229.v4880bFixed in: 1229.v4880b