GHSA-v63g-v339-2673

Source

https://github.com/advisories/GHSA-v63g-v339-2673

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v63g-v339-2673/GHSA-v63g-v339-2673.json

Aliases

CVE-2024-34144

Published

2024-05-02T15:30:35Z

Modified

2024-05-03T20:43:32.976383Z

Summary

Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies

Details

Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier:

Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts.
Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type.

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

These issues are caused by an incomplete fix of SECURITY-2824.

Script Security Plugin 1336.vf33aa9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox:

Calls to to other constructors using this are now intercepted by the sandbox.
Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls.

References

Affected packages

Maven / org.jenkins-ci.plugins:script-security

Package

Name: org.jenkins-ci.plugins:script-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1336.vf33a

Affected versions

1.*

1.0-beta-1

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-beta-5

1.0-beta-6

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.18.1

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.29.1

1.30

1.31

1.33

1.34

1.35

1.36

1.37

1.38

1.39

1.40

1.41

1.42

1.43

1.44

1.44.1

1.45

1.46

1.46.1

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.54.1

1.54.2

1.54.3

1.54.4

1.55

1.56

1.57

1.57.1

1.57.2

1.57.3

1.57.4

1.57.5

1.57.6

1.58

1.59

1.60

1.60.1

1.61

1.62

1.63

1.63.1

1.64

1.65

1.66

1.66.1

1.66.2

1.66.3

1.66.4

1.66.5

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

1.78

1.78.1

1118.*

1118.vba21ca2e3286

1125.*

1125.v132f99385e1b_

1131.*

1131.v8b_b_5eda_c328e

1138.*

1138.v8e727069a_025

1140.*

1140.vf967fb_efa_55a_

1145.*

1145.vb_cf6cf6ed960

1145.1148.vf6d17a_a_a_eef6

1146.*

1146.vdf547f19a_473

1158.*

1158.v7c1b_73a_69a_08

1172.*

1172.v35f6a_0b_8207e

1175.*

1175.v4b_d517d6db_f0

1175.1177.vda_175b_77d144

1175.1179.vea_f7532629e1

1175.1180.v36a_3fb_2dec9c

1183.*

1183.v774b_0b_0a_a_451

1184.*

1184.v85d16b_d851b_3

1189.*

1189.vb_a_b_7c8fd5fde

1190.*

1190.v65867a_a_47126

1209.*

1209.v50b_005db_19db

1218.*

1218.v39ca_7f7ed0a_c

1228.*

1228.vd93135a_2fb_25

1229.*

1229.v4880b_b_e905a_6

1244.*

1244.ve463715a_f89c

1251.*

1251.vfe552ed55f8d

1251.1253.v4e638b_e3b_221

1264.*

1264.vecf66020eb_7d

1265.*

1265.va_fb_290b_4b_d34

1269.*

1269.v639888f5e366

1271.*

1271.vdede89739a_81

1273.*

1273.v66c1964f0dfd

1274.*

1274.v2b_33362a_f2f5

1275.*

1275.v23895f409fb_d

1281.*

1281.v22fb_899df1a_e

1294.*

1294.v99333c047434

1301.*

1301.v0079b_cd0cdfa_

1305.*

1305.v487433146192

1310.*

1310.vf24a_dfce068b_

1313.*

1313.v7a_6067dc7087

1321.*

1321.va_73c0795b_923

1326.*

1326.vdb_c154de8669

1335.*

1335.vf07d9ce377a_e