Description
It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
Remediation
References
http://www.securityfocus.com/bid/96981
https://jenkins.io/security/advisory/2017-03-20/
Related Vulnerabilities
CVE-2020-11022 Vulnerability in maven package org.fujion.webjars:jquery
CVE-2019-10305 Vulnerability in maven package com.xebialabs.xl-deploy:jenkins-dependendencies
CVE-2020-12648 Vulnerability in maven package org.webjars:tinymce
CVE-2023-38509 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui