GHSA-qwm8-vgm6-f86p

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwm8-vgm6-f86p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qwm8-vgm6-f86p/GHSA-qwm8-vgm6-f86p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwm8-vgm6-f86p
Aliases
Published
2022-05-13T01:15:06Z
Modified
2023-11-08T04:00:37.169745Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Script security sandbox bypass in Jenkins Email Extension Plugin
Details

A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.

Database specific 
{
    "nvd_published_at": "2019-03-08T21:29:00Z",
    "github_reviewed_at": "2022-06-01T19:47:27Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-693"
    ]
}
References

Affected packages

Maven / org.jenkins-ci.plugins:email-ext

Package

Name
org.jenkins-ci.plugins:email-ext
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/email-ext

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.65

Affected versions

2.*

2.11
2.12
2.13
2.14
2.14.1
2.15
2.16
2.18
2.19
2.20
2.21
2.22
2.24.1
2.25
2.27
2.27.1
2.28
2.29
2.30
2.30.1
2.30.2
2.31
2.32
2.33
2.34
2.35
2.35.1
2.36
2.37
2.37.1
2.37.2
2.37.2.2
2.38
2.38.1
2.38.2
2.39
2.39.3
2.40-beta
2.40
2.40.1
2.40.2
2.40.3
2.40.4
2.40.5
2.41
2.41.2
2.41.3
2.42
2.43
2.44
2.45
2.46
2.47
2.50
2.51
2.52
2.53
2.54
2.55
2.56
2.57
2.57.1
2.57.2
2.58
2.59
2.60
2.61
2.62
2.62.1
2.63
2.64