Devin Nusbaum

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier **Description** A sandbox bypass issue involves sandbox-defined classes that shadow specific non-sandbox-defined classes, allowing attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. The vulnerability exploits crafted constructor bodies that invoke other constructors and sandbox-defined Groovy classes to construct any subclassable type. This enables attackers to bypass the sandbox feature, which is designed to allow low-privileged users to define scripts that are generally safe to execute. **Recommendations** For Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier, consider disabling the sandbox feature until a patch is available to prevent attackers from bypassing the sandbox protection. Restrict access to the Jenkins controller JVM to minimize the risk of exploitation. Avoid using crafted constructor bodies and sandbox-defined Groovy classes in sandboxed scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier **Description** A sandbox bypass issue allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. This is due to crafted constructor bodies that can invoke other constructors, allowing the construction of any subclassable type via implicit casts. Additionally, sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type. The issue is caused by an incomplete fix of a previous security issue. **Recommendations** For Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier, update to version 1336.vf33a a 9863911 or later, which includes additional restrictions and sanity checks to prevent the construction of super constructors without being intercepted by the sandbox. As a temporary workaround, consider restricting access to the sandbox feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.415 and earlier Jenkins LTS versions 2.401.2 and earlier **Description** The issue is related to the transformation of URLs in build logs into hyperlinks, which are not properly sanitized or encoded. This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by attackers who can control the contents of build logs. **Recommendations** For Jenkins versions 2.415 and earlier, update to version 2.416 or later to resolve the issue. For Jenkins LTS versions 2.401.2 and earlier, update to version 2.401.3 or later to resolve the issue. As a temporary workaround, consider disabling the transformation of URLs into hyperlinks in build logs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1228.vd93135a 2fb 25 and earlier **Description** The issue is related to errors in processing data by map constructors, which can be exploited by a remote attacker to bypass the sandbox and execute arbitrary code in the context of the Jenkins controller JVM. This allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection. **Recommendations** For Jenkins Script Security Plugin versions 1228.vd93135a 2fb 25 and earlier, consider restricting the use of map constructors in sandboxed scripts until a patch is available. As a temporary workaround, limit the permissions for defining and running sandboxed scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier **Description** A sandbox bypass issue allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. The `library` step in the affected plugins can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This issue is similar to a previously reported security advisory, but it affects a different plugin. **Recommendations** For Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier, update to version 613.v9c41a 160233f or later, which rejects improper calls to sandbox-generated synthetic constructors when using the `library` step. For Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier, update to version 588.v576c103a ff86 or later, which no longer contains the `library` step. As a temporary workaround, consider restricting the use of the `library` step in sandboxed Pipelines to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier **Description** A sandbox bypass issue allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. The `library` step in the affected plugins can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This issue is similar to a previously reported security advisory, but it affects a different plugin. **Recommendations** For Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier, update to a version that no longer contains the `library` step, such as 588.v576c103a ff86 or later. For Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier, update to version 613.v9c41a 160233f or later, which rejects improper calls to sandbox-generated synthetic constructors when using the `library` step.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier **Description** A sandbox bypass issue exists, involving crafted constructor bodies and calls to sandbox-generated synthetic constructors, which allows attackers with permission to define and run sandboxed scripts to bypass sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. **Recommendations** For versions 1183.v774b 0b 0a a 451 and earlier, update to a version that contains a fix for this issue to prevent sandbox bypass and arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier **Description** A sandbox bypass issue involving implicit casts by the Groovy language runtime allows attackers with permission to define and run sandboxed scripts to bypass sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. This affects scripts including Pipelines. **Recommendations** For versions 1183.v774b 0b 0a a 451 and earlier, update to a version that fixes the sandbox bypass vulnerability to prevent attackers from executing arbitrary code in the context of the Jenkins controller JVM. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Groovy Plugin versions 2802.v5ea 628154b c2 and earlier **Description** A sandbox bypass issue involves implicit casts by the Groovy language runtime, allowing attackers with permission to define and run sandboxed scripts to bypass sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. **Recommendations** For versions 2802.v5ea 628154b c2 and earlier, update to a version that intercepts Groovy casts performed implicitly by the Groovy language runtime, such as version 2803.v1a f77ffcc773 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier **Description** A sandbox bypass issue involves casting an array-like value to an array type, allowing attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. **Recommendations** For Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier, update to a version that intercepts per-element casts when casting array-like values to array types, such as version 1184.v85d16b d851b 3 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins Bitbucket Branch Source Plugin versions prior to 746.v350d2781c184 Jenkins Bitbucket Branch Source Plugin versions prior to 725.vd9f8be0fa250 Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.11.2 Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.7.2 Jenkins Bitbucket Branch Source Plugin version 737.vdf9dc06105be and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. This issue arises because the plugin does not require POST requests for a specific HTTP endpoint, which can be exploited by attackers with Overall/Read access. **Recommendations** For Jenkins Bitbucket Branch Source Plugin versions prior to 746.v350d2781c184, update to version 746.v350d2781c184 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 725.vd9f8be0fa250, update to version 725.vd9f8be0fa250 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.11.2, update to version 2.9.11.2 or later. For Jenkins Bitbucket Branch Source Plugin versions prior to 2.9.7.2, update to version 2.9.7.2 or later. For Jenkins Bitbucket Branch Source Plugin version 737.vdf9dc06105be and earlier, update to a version later than 737.vdf9dc06105be.

**Name of the Vulnerable Software and Affected Versions** Jenkins CloudBees CD Plugin versions 1.1.21 and earlier **Description** The issue concerns a lack of permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. This affects the scheduling of builds via the HTTP endpoint, which requires Item/Build permission. **Recommendations** For Jenkins CloudBees CD Plugin versions 1.1.21 and earlier, consider restricting access to the HTTP endpoint to minimize the risk of exploitation until a patch is available. As a temporary workaround, ensure that only users with Item/Build permission can schedule builds of projects.

**Name of the Vulnerable Software and Affected Versions** Jenkins Warnings Plugin versions 5.0.1 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to execute arbitrary code. This issue arises because the plugin does not require POST requests for a form validation method intended for testing custom warnings parsers. **Recommendations** For Jenkins Warnings Plugin versions 5.0.1 and earlier, update to version 5.0.2 or later, which requires POST requests for the affected form validation method, thus mitigating the CSRF vulnerability.

Name of the Vulnerable Software and Affected Versions: Jenkins Promoted Builds Plugin versions 2.31.1 and earlier Description: An improper authorization issue exists that allows an attacker with read access to jobs to perform promotions. This is due to vulnerabilities in Status.java and ManualCondition.java. Recommendations: For Jenkins Promoted Builds Plugin versions 2.31.1 and earlier, update to a version later than 2.31.1 to resolve the issue. As a temporary workaround, consider restricting read access to jobs to minimize the risk of exploitation.