Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2019-16728 Vulnerability in maven package org.webjars.bower:dompurify

CVE-2020-11998 Vulnerability in maven package org.apache.activemq:activemq-broker

CVE-2020-7683 Vulnerability in npm package rollup-plugin-server

CVE-2020-36188 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2015-8103 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory