Description

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/02/12/3

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713

Related Vulnerabilities

CVE-2022-29078 Vulnerability in npm package ejs

CVE-2020-13961 Vulnerability in npm package strapi

CVE-2022-21191 Vulnerability in npm package global-modules-path

CVE-2020-13943 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-2250 Vulnerability in maven package org.jenkins-ci.plugins:soapui-pro-functional-testing

Severity

Critical

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory