Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2020-11007 Vulnerability in maven package com.shopizer:sm-core-model

CVE-2021-26543 Vulnerability in npm package git-parse

CVE-2021-21695 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:labmanager

CVE-2020-2221 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory