Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2022-3510 Vulnerability in maven package com.google.protobuf:protobuf-javalite

CVE-2020-2132 Vulnerability in maven package com.parasoft:environment-manager

CVE-2019-10404 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-4307 Vulnerability in maven package org.webjars.bower:baobab

CVE-2020-13931 Vulnerability in maven package org.apache.tomee:openejb-loader

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory