CVE-2020-2134

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1.70 and earlier

Description The sandbox protection in the Jenkins Script Security Plugin could be circumvented through crafted constructor calls and bodies, as well as crafted method calls on objects that implement GroovyInterceptable. This allows attackers who can specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Recommendations For Jenkins Script Security Plugin versions 1.70 and earlier, update to version 1.71 or later, which includes additional restrictions and sanity checks to prevent the circumvention of sandbox protection. As a temporary workaround, consider restricting the use of crafted constructor calls and bodies, as well as method calls on objects that implement GroovyInterceptable, until a patch is available.

Fix

Protection Mechanism Failure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-863

Related Identifiers

CVE-2020-2134

GHSA-GJ3Q-P8CM-26RM

RHSA-2020:2478

RHSA-2020:2737

RHSA-2020:3616

Affected Products

Jenkins

Jenkins Script Security Plugin

CVE-2020-2134

Weakness Enumeration

Related Identifiers

Affected Products

References · 7