Security feature bypass

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts...

CVE-2019-10356

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts...

CVE-2019-10355

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts...

CVE-2019-10355

CVE-2019-10355 is a sandbox bypass in the Jenkins Script Security Plugin (versions up to 1.61 and earlier) that lets attackers escape the sandbox by exploiting how type casts are handled, enabling arbitrary code execution in sandboxed Groovy scripts. The vulnerability affected the plugin used wit...

CVE-2019-10356

CVE-2019-10356 is a sandbox bypass in Jenkins Script Security Plugin 1.61 and earlier, related to handling of method pointer expressions that could allow an attacker to execute arbitrary code in sandboxed scripts. The vulnerability is referenced across multiple advisories (Red Hat RHSA for OpenSh...

PT-2019-2881 · Jenkins · Jenkins Script Security Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Script Security Plugin versions 1.61 and earlier Description: A sandbox bypass issue related to the handling of method pointer expressions allows attackers to execute arbitrary code in sandboxed scripts. The vulnerability is related t...

PT-2019-2880 · Jenkins · Jenkins Script Security Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Script Security Plugin versions 1.61 and earlier Description: The issue is related to a sandbox bypass vulnerability in the handling of type casts, allowing attackers to execute arbitrary code in sandboxed scripts. This could...

CVE-2019-12578

A vulnerability in the London Trust Media Private Internet Access PIA VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpnlauncher.64 binary is setuid root. This binary executes /opt/pia/openvpn-64/openvpn, passing the...

RHEL 7 : OpenShift Container Platform 4.1 jenkins-2-plugins (RHSA-2019:1636)

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:1636 advisory. This advisory contains the jenkins-2-plugins RPM packages for Red Hat OpenShift Container Platform 4.1.4. See the following advisory for the...

Arbitrary Code Execution

jenkins-plugin-workflow-cps is vulnerable to arbitrary code execution. A sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin allows an attacker to invoke arbitrary contructors in sandboxed scripts...

Arbitrary Code Execution

jenkins-plugin-script-security is vulnerable to arbitrary code execution. A sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin allows an attacker to invoke arbitrary constructors in sandboxed scripts...

jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)

A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity a...

Code injection

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection...

CVE-2019-10328

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection...

CVE-2019-10328

Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke arbitrary methods, bypassing typical sandbox protection...

PT-2019-2637 · Jenkins · Jenkins Pipeline Remote Loader Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline Remote Loader Plugin versions 1.4 and earlier Description: The issue is related to the custom whitelist for script security in the Jenkins Pipeline Remote Loader Plugin, which allowed attackers to invoke arbitrary methods and...

Sandbox Protection Bypass

Jenkins Script Security Plugin is vulnerable to sandbox protection bypass vulnerability. This exists in the src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java which allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint...

Sandbox Protection Bypass

Jenkins Script Security Plugin is vulnerable to sandbox protection bypass attacks. This exists in the RejectASTTransformsCustomizer.java which allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that could result in arbitrary code execution on the Jenkins...

jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320)

A flaw was found in the Jenkins script security sandbox. The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab could be circumvented through use of various Groovy language features including the use of...

jenkins-plugin-script-security: sandbox bypass in script security plugin

A flaw was found in the Jenkins Script Security plugin version 1.53. An attacker with Overall/Read permissions is able to escape the sandbox and execute arbitrary code on the Jenkins master JVM. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...