Simon St John-Green

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided description. **Description** The issue concerns the default whitelist in a script sandbox, which includes unsafe entries such as `DefaultGroovyMethods.putAt(Object, String, Object)` and `DefaultGroovyMethods.getAt(Object, String)`. These entries allow for circumventing access restrictions by using alternative methods to access properties, for example, `currentBuild['rawBuild']` instead of `currentBuild.rawBuild`. Furthermore, certain entries like `groovy.json.JsonOutput.toJson(Closure)` and `groovy.json.JsonOutput.toJson(Object)` enable access to private data that would otherwise be restricted due to script security. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins (affected versions not specified) **Description** The issue allows for arbitrary code execution due to incomplete sandbox protection in Pipeline scripts. Specifically, constructors, instance variable initializers, and instance initializers were not subject to sandbox protection, enabling the execution of arbitrary code. This could be exploited by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Script Security Plugin (affected versions not specified) **Description** The issue concerns the Script Security Plugin, which failed to apply sandboxing restrictions to certain invocations, including constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could allow the invocation of arbitrary constructors and methods, effectively bypassing sandbox protection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.