Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2018-1000410 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-36884 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2022-21718 Vulnerability in npm package electron

CVE-2022-42920 Vulnerability in maven package org.apache.bcel:bcel

CVE-2019-16303 Vulnerability in npm package generator-jhipster-kotlin

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory