CVE-2024-34145

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier

Description A sandbox bypass issue involves sandbox-defined classes that shadow specific non-sandbox-defined classes, allowing attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. The vulnerability exploits crafted constructor bodies that invoke other constructors and sandbox-defined Groovy classes to construct any subclassable type. This enables attackers to bypass the sandbox feature, which is designed to allow low-privileged users to define scripts that are generally safe to execute.

Recommendations For Jenkins Script Security Plugin versions 1335.vf07d9ce377a e and earlier, consider disabling the sandbox feature until a patch is available to prevent attackers from bypassing the sandbox protection. Restrict access to the Jenkins controller JVM to minimize the risk of exploitation. Avoid using crafted constructor bodies and sandbox-defined Groovy classes in sandboxed scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.