Description
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/10/01/2
https://access.redhat.com/errata/RHSA-2019:4055
https://access.redhat.com/errata/RHSA-2019:4089
https://access.redhat.com/errata/RHSA-2019:4097
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579
Related Vulnerabilities
CVE-2018-1000406 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-11022 Vulnerability in maven package org.webjars:jquery
CVE-2019-18394 Vulnerability in maven package org.igniterealtime.openfire:parent
CVE-2020-7610 Vulnerability in maven package org.webjars.npm:bson
CVE-2019-1010266 Vulnerability in maven package org.webjars.npm:lodash