Description
In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Remediation
References
http://www.openwall.com/lists/oss-security/2023/02/15/4
https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2939
Related Vulnerabilities
CVE-2021-21315 Vulnerability in npm package systeminformation
CVE-2020-4051 Vulnerability in maven package org.webjars.npm:dijit
CVE-2022-25881 Vulnerability in npm package http-cache-semantics
CVE-2022-37265 Vulnerability in npm package steal
CVE-2023-22665 Vulnerability in maven package org.apache.jena:jena-arq