Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-broker

CVE-2019-17558 Vulnerability in maven package org.apache.solr:solr-velocity

CVE-2019-10357 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

CVE-2020-2121 Vulnerability in maven package org.jenkins-ci.plugins:google-kubernetes-engine

CVE-2019-10785 Vulnerability in maven package org.webjars.bower:dojox

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory