Sandbox Protection Bypass

2019-05-1603:58:57

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.005 Low

EPSS

Percentile

77.3%

JSON

Jenkins Script Security Plugin is vulnerable to sandbox protection bypass attacks. This exists in the RejectASTTransformsCustomizer.java which allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that could result in arbitrary code execution on the Jenkins master JVM.

CPENameOperatorVersion
jenkins-2-pluginseq3.10.1525788236__1.el7
jenkins-2-pluginseq3.9.1519779801__1.el7
jenkins-2-pluginseq3.7.1510081324__1.el7
jenkins-2-pluginseq3.11.1549642489__1.el7
jenkins-2-pluginseq3.11.1542061886__1.el7
jenkins-2-pluginseq3.11.1535566135__1.el7
jenkins-2-pluginseq3.7.1502412812__1.el7
jenkins-2-pluginseq3.7.1527795978__1.el7
jenkins-2-pluginseq3.11.1539805268__1.el7

Name	Operator	Version
jenkins-2-plugins	eq	3.10.1525788236__1.el7
jenkins-2-plugins	eq	3.9.1519779801__1.el7
jenkins-2-plugins	eq	3.7.1510081324__1.el7
jenkins-2-plugins	eq	3.11.1549642489__1.el7
jenkins-2-plugins	eq	3.11.1542061886__1.el7
jenkins-2-plugins	eq	3.11.1535566135__1.el7
jenkins-2-plugins	eq	3.7.1502412812__1.el7
jenkins-2-plugins	eq	3.7.1527795978__1.el7
jenkins-2-plugins	eq	3.11.1539805268__1.el7