Access Restriction Bypass Affecting org.jenkins-ci.plugins:script-security package, versions [,1229.v4880b_b_e905a_6)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Restriction Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-3247341
  • published25 Jan 2023
  • disclosed25 Jan 2023
  • creditDevin Nusbaum (CloudBees)

Introduced: 25 Jan 2023

CVE-2023-24422  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade org.jenkins-ci.plugins:script-security to version 1229.v4880b_b_e905a_6 or higher.

Overview

org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Affected versions of this package are vulnerable to Access Restriction Bypass due to property assignments performed implicitly by the Groovy language runtime when invoking map constructors not being executed in a sandbox.This allows users with permissions to define and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

CVSS Scores

version 3.1