Protection Mechanism Failure Affecting org.jenkins-ci.plugins:script-security package, versions [0,]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.12% (49th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-3057185
  • published 20 Oct 2022
  • disclosed 19 Oct 2022
  • credit Devin Nusbaum

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Affected versions of this package are vulnerable to Protection Mechanism Failure due to a sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors. Exploiting this vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

9.9 critical
Expand this section

Red Hat

9.9 critical