CVE-2020-2135

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1.70 and earlier

Description The sandbox protection in the Jenkins Script Security Plugin could be circumvented through crafted method calls on objects that implement GroovyInterceptable, or through crafted constructor calls and bodies. This allows attackers who can specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Recommendations For Jenkins Script Security Plugin versions 1.70 and earlier, update to version 1.71 or later, which includes additional restrictions and sanity checks to prevent the circumvention of sandbox protection. As a temporary workaround, consider restricting the use of objects that implement GroovyInterceptable in sandboxed scripts until a patch is applied.

Fix

Protection Mechanism Failure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-863

Related Identifiers

CVE-2020-2135

GHSA-QVHF-3567-PC4V

RHSA-2020:2478

RHSA-2020:2737

RHSA-2020:3616

Affected Products

Jenkins

Jenkins Script Security Plugin

CVE-2020-2135

Weakness Enumeration

Related Identifiers

Affected Products

References · 7