CVE-2024-34144

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier

Description A sandbox bypass issue allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. This is due to crafted constructor bodies that can invoke other constructors, allowing the construction of any subclassable type via implicit casts. Additionally, sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type. The issue is caused by an incomplete fix of a previous security issue.

Recommendations For Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier, update to version 1336.vf33a a 9863911 or later, which includes additional restrictions and sanity checks to prevent the construction of super constructors without being intercepted by the sandbox. As a temporary workaround, consider restricting access to the sandbox feature to minimize the risk of exploitation.