CVE-2023-24422OS Command Injection in Jenkins Script Security

CWE-78OS Command InjectionCWE-20Improper Input Validation6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 92.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Script SecurityJenkins Project Jenkins Script Security Plugin
Timeline
PublishedJan 26

Description

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_script_security_pluginunspecified1228.vd93135a_2fb_25
NVDjenkins/script_security< 1229.v4880b_b_e905a_6

🔴Vulnerability Details

3
OSV
Sandbox bypass in Jenkins Script Security Plugin2023-01-26
GHSA
Sandbox bypass in Jenkins Script Security Plugin2023-01-26
CVEList
CVE-2023-24422: A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 12282023-01-24

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2023-01-242023-01-24
Red Hat
jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin2023-01-24
CVE-2023-24422 — OS Command Injection in Jenkins | cvebase