Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/11/21/1

https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658

Related Vulnerabilities

CVE-2020-7617 Vulnerability in npm package ini-parser

CVE-2019-10305 Vulnerability in maven package com.xebialabs.xl-deploy:jenkins-dependendencies

CVE-2020-2239 Vulnerability in maven package org.jenkins-ci.plugins:parameterized-remote-trigger

CVE-2022-31189 Vulnerability in maven package org.dspace:dspace-jspui

CVE-2020-7598 Vulnerability in maven package org.webjars.npm:minimist

Severity

Critical

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory