Description
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
Remediation
References
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1340
http://www.securityfocus.com/bid/107476
Related Vulnerabilities
CVE-2021-28168 Vulnerability in maven package org.glassfish.jersey.core:jersey-common
CVE-2018-14642 Vulnerability in maven package io.undertow:undertow-core
CVE-2016-3726 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-controller
CVE-2019-10157 Vulnerability in npm package keycloak-connect