Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/09/23/1

https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2020

Related Vulnerabilities

CVE-2019-19771 Vulnerability in npm package sb58

CVE-2017-16202 Vulnerability in npm package cofeescript

CVE-2020-11619 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-36184 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-21119 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory Vendor Advisory NVD-CWE-noinfo