Jenkins Groovy Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins....
8.8CVSS
1.8AI Score
0.001EPSS
Jenkins Groovy Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins....
8.8CVSS
1.8AI Score
0.001EPSS
Jenkins Script Security Plugin sandbox bypass vulnerability
The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features: Use of AnnotationCollector Import aliasing Referencing...
8.8CVSS
7.7AI Score
0.005EPSS
Jenkins Script Security Plugin sandbox bypass vulnerability
The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features: Use of AnnotationCollector Import aliasing Referencing...
8.8CVSS
7.8AI Score
0.005EPSS
Jenkins Groovy Plugin sandbox bypass vulnerability
Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...
8.8CVSS
7.6AI Score
0.627EPSS
Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability
Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...
8.8CVSS
7.6AI Score
0.627EPSS
Jenkins Groovy Plugin sandbox bypass vulnerability
Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...
8.8CVSS
7.7AI Score
0.627EPSS
Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability
Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...
8.8CVSS
7.9AI Score
0.627EPSS
Protection Mechanism Failure in Jenkins Script Security Plugin
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master...
8.8CVSS
5.2AI Score
0.686EPSS
Protection Mechanism Failure in Jenkins Script Security Plugin
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master...
8.8CVSS
5.2AI Score
0.686EPSS
Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed...
9.8CVSS
5.1AI Score
0.017EPSS
Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed...
9.8CVSS
5.1AI Score
0.017EPSS
Script security sandbox bypass in Jenkins Job DSL Plugin
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy,...
9.9CVSS
4.8AI Score
0.004EPSS
Script security sandbox bypass in Jenkins Job DSL Plugin
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy,...
9.9CVSS
4.8AI Score
0.004EPSS
Jenkins Groovy Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. Groovy Plugin 2.2 uses Script Security APIs....
8.8CVSS
5.3AI Score
0.001EPSS
Jenkins Groovy Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. Groovy Plugin 2.2 uses Script Security APIs....
8.8CVSS
5.3AI Score
0.001EPSS
Sandbox bypass in Jenkins Pipeline: Groovy Plugin
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master...
9.9CVSS
5.1AI Score
0.006EPSS
Sandbox bypass in Jenkins Pipeline: Groovy Plugin
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master...
9.9CVSS
5.1AI Score
0.006EPSS
Sandbox Bypass in Script Security Plugin
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in....
8.8CVSS
2.6AI Score
0.004EPSS
Sandbox bypass in Script Security Plugin
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with...
9.9CVSS
5AI Score
0.009EPSS
Sandbox bypass in Script Security Plugin
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with...
9.9CVSS
5AI Score
0.009EPSS
Sandbox Bypass in Script Security Plugin
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in....
8.8CVSS
2.6AI Score
0.004EPSS
Jenkins Pipeline is vulnerable to sandbox bypass. It uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library...
8.8CVSS
3.9AI Score
0.001EPSS
Sensitive Information Disclosure
Jenkins Pipeline is vulnerable to sensitive information disclosure. It includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. A flaw was found in...
4.3CVSS
3.1AI Score
0.001EPSS
Jenkins Pipeline is vulnerable to symbolic links. It follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system. A flaw.....
6.5CVSS
3.6AI Score
0.001EPSS
Jenkins Pipeline is vulnerable to OS command injection. It uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. A flaw was found in Jenkins. The....
8.8CVSS
4.5AI Score
0.001EPSS
Oracle Business Process Management Suite (Apr 2022 CPU)
The version of Oracle Business Process Management Suite installed on the remote host is affected by multiple vulnerabilities, as referenced in the April 2022 CPU advisory. Specifically: Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware ...
9.8CVSS
8AI Score
0.009EPSS
4.4CVSS
5.8AI Score
0.001EPSS
4.9CVSS
5.8AI Score
0.001EPSS
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline....
5.3CVSS
1.6AI Score
0.001EPSS
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline...
5.3CVSS
5.7AI Score
0.001EPSS
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline...
5.3CVSS
1.2AI Score
0.001EPSS
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a...
5.3CVSS
0.001EPSS
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a...
5.3CVSS
5.3AI Score
0.001EPSS
7.5CVSS
7.3AI Score
0.001EPSS
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a...
5.3CVSS
5.3AI Score
0.001EPSS
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a...
5.8AI Score
0.001EPSS
Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability
The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell...
9.1AI Score
0.856EPSS
7.5CVSS
7.3AI Score
0.013EPSS
The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.277.x prior to 2.277.43.0.7, 2.303.x prior to 2.303.30.0.6, or 2.x prior to 2.319.3.4. It is, therefore, affected by multiple vulnerabilities, including the following: Jenkins Pipeline: Groovy...
8.8CVSS
7.6AI Score
0.001EPSS
Liferay Portal and Liferay DXP Cross-Site Scripting Vulnerability (CNVD-2022-19496)
Liferay Portal and Liferay DXP are both products of Liferay, a J2EE-based portal solution that uses EJB and JMS technologies and serves as a web publishing and shared workspace, enterprise collaboration platform, social network, etc. Liferay DXP is a digital experience collaboration platform....
6.1CVSS
0.5AI Score
0.001EPSS
Jenkins Pipeline Shared Groovy Libraries Plugin Arbitrary File Read Vulnerability
Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying and automating any project.Jenkins Pipeline Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier versions have an arbitrary file read...
6.5CVSS
1.3AI Score
0.001EPSS
7CVSS
7.5AI Score
0.0005EPSS
7CVSS
7.4AI Score
0.0004EPSS
7CVSS
7.5AI Score
0.0005EPSS
7CVSS
7.5AI Score
0.0005EPSS
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries Plugin uses the names of Pipeline libraries to create directories without canonicalization or sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins...
8.8CVSS
5.2AI Score
0.001EPSS
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries plugin uses the names of Pipeline libraries to create cache directories without any sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins controller JVM,...
8.8CVSS
4AI Score
0.001EPSS
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries Plugin uses the same workspace directory for all checkouts of Pipeline libraries with the same name, regardless of the SCM used and the source of the library configuration. This flaw allows attackers with item/configure permission.....
8.8CVSS
3.5AI Score
0.001EPSS
A flaw was found in Jenkins. The Pipeline: Groovy Plugin includes password parameters from the original build in replayed builds. This flaw allows attackers with run/replay permission to obtain the values of password parameters passed to previous builds of a...
4.3CVSS
4.2AI Score
0.001EPSS